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EXECUTIVE  SUMMBY 


Hercules  Incorporated  has  conducted  a quantitative  hazards  and 
risk  analysis  on  the  preliminary  design  of  the  proposed  ammonium 
nitrate/nitric  acid  Transfer  facility  to  be  constructed  at  Holston 
Army  Ammunition  Plant. 


The  evaluation  of  all  potential  fire  and  explosion  hazards  was 
accomplished  through  the  application  of  the  Hazards  Evaluation  and 
Risk  Control  (HERC)  program  developed  by  Hercules.  This  is  a quanti- 
tative technique  for  assessing  process  risk  and  specifically  conforms 
to  the  requirements  of  U.S.  MUCOM  Regulation  385-22,  "Safety  Hazards 
Analysis."  In  addition,  system  failures  and/or  fault  sequences  which 
could  cause  a loss  of  facility  operation  (spills,  blockage,  corrosive 
failure,  etc.)  were  evaluated  through  a logic  modeling  technique. 


In  this  report,  specific  recommendations  are  offered  wiiich,  when 
implemented,  would  reduce  overall  system  risk  in  a cost  effective 
manner.  These  recommendations,  generally  consisting  of  minor  modi- 
fications in  equipment  design  and  operating  procedures,  will  serve  as 
a useful  guide  during  the  subsequent  completion  of  the  facility  design. 


Relatively  small  overall  fire  and  explosion  probabilities  were 
determined  to  exist  for  the  Transfer  system,  as  currently  designed. 
This  is  attributed  to;  (1)  the  relative  insensitivity  of  process 
materials  to  standard  forms  of  initiation,  and  (2)  the  complete  lack 
of  an  explosive  potential  existing  in  the  facility  during  normal 
operations.  Under  certain  abnormal  conditions,  identified  in  the 
analysis,  an  explosive  potential  could  be  present  and  in  such  cases, 
specific  recommendations  are  offered  to  reduce  the  probability  of  an 
explosion  occurring.  The  normal  and  abnormal  operation  of  the  pro- 
posed electrically  heated  transfer  line  was  found  to  contribute  only 
marginally  to  the  overall  facility  risk. 


WARRANTY  AND  DISCLAIMER 


Within  the  scope  of  work,  Hercules  warrants  that  it  has 
exercised  its  best  efforts  in  performing  the  hazards  analysis 
hereunder,  but  specifically  disclaims  any  warranty,  expressed  or 
implied,  that  any  particular  standard  or  criterion  of  hazard  or 
accident  elimination  has  been  achieved  by  Holston  Defense 
Corporation,  if  Holston  Defense  Corporation  adopts  the  findings 
or  recommendations  of  Hercules. 
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INTRODUCTION 


This  is  the  sixth  and  final  report  for  this  program  under  Contract 
083-0446  to  Holston  Defense  Corporation  (HDC)  for  a Hazards  Analysis  of 
the  Ammonium  Nitrate/Nitric  Acid  (AN/NA)  Transfer  System,  including 
Tank  Farms  C-3  and  C-7.  The  Transfer  System,  currently  in  the  design 
stage,  would  basically  eliminate  the  need  for  loading  and  unloading 
railroad  tank  cars  and  consequently  reduce  personnel  exposure  during 
these  operations. 


The  AN/NA  Transfer  System  consists  of:  ('.)  the  existing  pump  house, 

(2)  new  20  foot  diameter  Storage  Tank  with  Heat  Exchanger,  (3)  new  pump 
house,  (4)  new  Impedance  heated  3 inch  transfer  line,  and  (3)  existing 
C-3  and  C-7  Tank  Farms  (3  tanks  each). 


The  requirements  of  the  Holston  Defense  Corporation  proposal 
request  (W-72-73)  specified  that  a system  analysis  be  performed  to 
identify  undesirable  events  which  have  been  interpreted  to  be  fires, 
explosion,  personnel  injury,  loss  of  product  through  spills,  product 
blockage,  corrosion,  and  system  downtiow.  The  occurrem^e  of  these 
events  is  determined  by  a numerical  (quantitative)  englricering  analysis 
of  the  failures  (mechanical,  electrical,  and  human)  or  nortaal  occurrences 
(pumping,  heating,  valve  operations  and  manual  cleanup)  with  respect  to 
the  material  response  of  AN/NA  macc'*ial  tested  at  the  specific  environ- 
mental conditions  found  in  the  process.  Frocesn  risks  are  determined  and 
are  provided  to  HDC  mcnagement  together  with  information  concerning  the 
probability  of  hazardous  or  undesirable  events  occurring  and  the  expected 
effect  on  the  system  from  the  standpoint  of  personnel  Injury,  equipment 
damage/loss,  and  downtime.  This  information  will  facilitate  HDC  manage- 
ment decisions  concerning  changes  in  the  design  and  operating  criteria 
so  that  Che  system  can  be  optimized  for  safety,  cost,  productivity  and 
quality. 


These  objectives  arc  generally  st>ecified  in  Army  Regulations 
and  are  specifically  stated  in  U8ANUC0H  (Uigulatioo  383-22,  "Safety 
Hazards  Analysis."  This  regulation  outlines  the  requirements  and 
criteria  for  establishing  and  implGoeuting  Hazards  Analysis  techniques 
for  concept,  development,  and  production  phasos  for  planned  moderniza- 
tion of  HK&TE  programs  for  all  USANUCON  iastallations. 


Hercules  believes  the  work  objectives  have  been  scconplisHed  through 
the  use  of  its  Hazards  Evaluation  and  Risk  Control  Ptogrsa  known  as  HERC. 
this  technique  was  developed  by  Hercules  in  1936  and  has  been  formally 
presented(^)  and  generally  accepted  throughout  the  industry  as  a practical 
and  cost*^ effective  tacthod  of  evaluating  processing  hazards.  In  fact,  the 
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principal  concepts  of  the  Hazards  Evaluation  and  Risk  Control  program 
have  been  incorporated  in  MUCOM  385-22.  This  approach  is  quantitative 
in  nature  and  utilizes  a mathematical  logic  modeling  technique  in  con- 
junction with  engineering  measurements  of  both  the  "in-process"  energy 
and  the  response  of  processed  materials  to  this  energy  to  determine  the 
severity  of  any  hazards  (i.e.,  fires,  explosions)  or  loss  of  production. 
These  data,  coupled  with  a computer  simulation  using  the  logic  model  as 
the  format,  provide  the  probability  that  such  hazards  or  losses  will 
occur  in  the  system  as  designed. 


SUMH/IRT 


A.  Oblecttves 

The  objectives  of  this  work  were: 

1.  Determine  the  specific  system  functions  or  failures 
which  could  cause  personnel  injury  or  death,  damage 
to  facility  or  equipment,  or  no  product. 

2.  Evaluate  the  severity  of  these  specific  events;  i.e., 
mechanical  and  electrical  failures,  fires,  explosions, 
and  toxicity  hazards. 

3.  DctortBlne  the  probability  of  occurrence  and  safety 
margins  of  those  normal  and  abnormal  hazardous  events. 

4.  provide  design  and  oper4.tlng  criteria  so  that  the 
system  can  be  optimised  from  the  standjjoint  of  safety, 
cost  and  productivity  while  maintainitrg  an  acceptable 
level  of  product  qualli  . 

5.  Provide  management  with  sufficient  information  regarding 
the  probability  of  system  failure  so  that  tradeoff 
decisions  can  be  made  concernittg  risk  versus  cost. 


S.  Besults  and  Coviclusions 


The  AH/HA  transfer  System  has  been  analyzed  utilizing  proven  UEHC 
techniques  as  described  In  the  Introduction.  This  analysis  focuses 
attention  on  estimating  the  chance  of  incurring  a catastrophic  c^mnt 
and  the  probable  results  therefrom  to  pursooacl  and/or  equipment  and 
prortdes  design  and  operating  criteria  for  the  production  operation. 

A catastrophe  Is  defined  as  a fire  or  explosion  event  in  which  personnel 
ere  severely  injured  or  killed  or  system  loss  is  experienced. 


The  overall  probability  of  a catastrophic  event  (explosion)  occur- 
ring in  the  facility  during  90  days  of  operation  has  been  determined  to 
be  1.1  X 10”^.  This  evaluation  is  first  based  upon  the  inability  of 
the  normal  process  material  to  support  a transition-to-explosion  when 
subjected  to  a flame  stimuli,  as  demonstrated  by  transition  test  data 
generated  during  this  program.  Abnormal  conditions,  where  confined 
process  materials  may  become  intimately  mixed  with  organic  material 
(such  as  oil),  are  viewed  as  being  much  more  able  to  support  an 
explosive  transition,  but  these  conditions  have  low  probabilities  of 
ever  occurring.  Another  situation  identified  in  the  analysis  by  which 
an  explosion  potential  would  be  set  up  in  the  facility  is  if  confined 
process  material,  such  as  that  present  in  one  of  the  unvented  tanks, 
were  to  decompose  (give  off  gases)  or  vaporize  rapidly  as  a result  of 
abnormally  high  process  temperatures.  In  light  of  the  highly  abnormal 
conditions  which  must  be  present  before  even  an  explosion  potential  is 
available,  a relatively  low  overall  explosion  probability  has  been 
determined  to  exicr.  The  most  likely  oource  of  an  explosion  is  from 
abnormal  heat  exchanger  operation,  resulting  in  process  liquid  vapori- 
sation and  subsequent  buildup  of  explosive  pru.^suves. 


Fro-m  Che  amilysis  ic  was  detetnined  that  there  is  a 1.1  x 10"^ 
probability  chat  an  incident  (fire)  would  occur  in  the  facility 
during  90  days  of  operation.  This  rclaclvclv  low  incident  probability 
results  from:  (1)  the  relative  insensitivity  of  the  process  «atorial.s 

to  the  stuud.ard  forms  of  Initiation,  .and  (2)  the  inability  of  the  process 
Qi.’iterial.s  to  support  a flro  even  when  exposed  to  a highly  energetic 
initiation  source.  Almost  all  of  this  incident  probability  is  .asaociated 
with  mnm.ai  rubbing  at  the  mechanical  seals  of  t{»e  process  pumps  thaln^ 
shut  down  during  witich  initiation  (dcco«|>osltion)  will  nortaailv  occur. 


During  previous  m-atorial  yciiponse  testing  on  AN  and  no 

lm|>act  or  friction  initiation  could  be  detected  even  when  the  highest 
energy  levels  available  from  the  testing  app-aratus  were  employed.  In 
those  cases  where  in-proceas  impact  or  frictional  cnerg.ies  were  found 
to  be  higher  chan  tiu’  ctasitmt®  energy  level  available  froflu  the  testing 
apparatus,  <e«foty  m.argins  and  inlci,ation  probabilities  could  net  be 
calculated.  In  these  cases,  it  has  been  conservatively  assutsed  chat 
no  safety  margins  would  exist  and  that  the  initiation  pvobabiUties 
would  be  I.  JiasC  of  these  cases  involve  tU..  .'.urcral  a;:d  .cbtvorrurl 
operation  of  process  pumps,  where  relatively  high  in-process  energies 
are  available. 


In  those  cases  wi»orc  initiation  probabilities  of  I wore  deterrsined 
to  exist,  incident  (fire)  probabi litie.s  were  concluded  to  be  relatively 
snail.  "Initiation"  is  defined  in  this  analysis  to  bo  localized  dce.-«i»- 
positlon.  In  order  for  an  incident  to  occur,  the  initiation  esust  bo 
sustained  into  a fire.  Laboratory  tests  on  the  process  waterials 
indicate  that  even  when  highly  energetic  ignition  sources  are  employed, 
the  materials  will  not  support  a fire.  These  results  ate  supported  by 
buroiug  tests  conducted  by  the  Bureau  of  Hines. 


3. 


The  general  design  of  the  impedance  heated  transfer  line  was  found 
to  have  adequate  safeguards  to  prevent  excessively  high  or  low  product 
temperatures  from  being  present  in  the  line  for  any  extended  period  of 
time.  With  abnormally  high  temperatures  existing,  the  major  concern 
would  be  possible  corrosive  failure  of  the  piping.  Thermal  initiation 
of  the  process  material  resulting  from  high  process  temperatures  could 
result  in  a fire  or  explosion  only  if  the  materials  were  contaminated 
with  organic  material,  such  as  oil.  The  probability  of  a fire  origina- 
ting at  the  electrically  heated  transfer  line  during  normal,  abnormal, 
and  cleanup  operations  has  been  determined  to  be  an  insignificant  con- 
tributor to  the  overall  1.1  x 10“^  incident  (fire)  probability  associated 
with  the  entire  facility. 


Several  single-point  component  failures  were  identified  with  the 
operation  of  the  new  Storage  Tank  and  Heat  Exchanger  which  could  result 
in  abnormal  product  temperatures  existing  at  the  Heat  Exchanger.  Such 
failures,  if  not  promptly  corrected,  would  lead  to  (1)  vaporization  of 
process  liquid  resulting  in  explosive  pressure  buildup,  or  (2)  excessive 
system  corrosion  or  blockage  via  freezing.  The  basic  problem  lies  in 
the  fact  that  the  Heat  Exchanger  control  system  (temperature  transmitter 
and  controller  monitoring  the  Storage  Tank  temperatures)  is  essentially 
isolated  from  the  actual  heating  operation  at  the  Heat  Exchanger.  It 
is  recommended  that  product  temperature  at  the  Heat  Exchanger  be  con- 
tinuously monitored.  This  would  involve  installing  a temperature 
transmitter  at  the  Heat  Exchanger  which  would  be  tied  into  a tempera- 
ture indicator  on  the  master  control  panel. 


The  Reliability  Analysis  showed  that  there  is  an  average  prob- 
ability of  ,18  of  having  at  least  one  random  system  failure  occurring 
during  a 90  day  operating  period  which  would  result  in  no  product  being 
available  from  both  Tank  Farms  (C-3  and  C-7).  This  probability  encom- 
passes over  a hundred  single  point  failures,  including  primary  and 
secondary  component  failures  and  human  error  in  equipment  adjustment, 
maintenance,  or  selection.  Many  of  the  electronic  sensors,  controllers, 
etc.,  utilized  in  the  facility  are  critical  to  the  operation  of  the 
facility  in  the  sense  that  a single  failure  would  lead  to  a shut  down 
of  both  Tank  Farms. 


The  three  inch  Transfer  Line  (impedance  heated)  contributes  almost 
50%  to  the  overall  ,18  failure  probability.  This  results  mainly  from 
the  rel atively  large  number  of  components  present  in  the  ten  heating 
units  employed  at  the  line.  In  the  analysis  it  is  conservatively 
assumed  that  should  an  abnormally  high  or  low  product  temperature  be 
indicated  to  exist  in  the  Transfer  Line  the  line  would  be  shut  down. 


The  Reliability  Analysis  has  been  based  upon  genetic  component 
failure  rate  data,  such  as  that  presented  in  FARADA. The  highly 
corrosive  operating  environment  present  in  the  facility  will  play  an 
important  role  in  ultimately  determining  the  actual  reliability  of 
the  system.  For  this  reason,  the  value  of  the  reliability  analysis 
lies  in  its  ability  to  identify  those  areas  of  the  facility  which 
are  most  critical  to  the  reliable  operation  of  the  system.  Miiiimiz- 
ing  the  effects  which  component  failures  will  have  on  the  facility 
operation  can  best  be  effected  by  maintaining  detailed  records  on 
component  failures  and  maintenance  for  future  repair. 


C.  Recommendations 

From  the  analysis  of  the  present  design  of  the  AN/SA  Transfer 
System,  the  following  recommendations  are  made: 

(1)  The  temperature  of  the  material  at  the  Heat  Exchanger  should 
be  monitored.  This  can  be  accomplished  by  installing  a temperature 
transmitter  at  the  Heat  Exchange""  which  would  input  into  an  indicator 
in  Bldg.  330.  This  setup  would  significantly  reduce  the  probability 
of  excessive  corrosion  or  product  freezing  occurring  in  the  Heat 
Exchanger,  In  addition,  the  overall  explosion  probability  for  the 
facility  ■ aiv'  be  reduced  by  several  orders  of  magnitude, 

(2)  An  emergency  pressure  relief  valve  should  be  installed  at 
the  new  storage  tank.  This  would  reduce  the  probability  of  explosive 
pressures  building  up  as  a result  of  process  liquid  vaporization  (high 
product  temperature  which  goes  uncorrected). 

(3)  The  bayonet  steam  heater  for  the  Storage  Tank  which  serves  as 
a backup  to  the  Heat  Exchanger  may  be  either  manually  or  automatically 
operated.  The  important  point  is  that  the  temperature  transmitter  and 
indicator/recorder  (which  indicate  when  additional  heating  is  required) 
should  be  separate  from  the  Heat  Exchanger  controls  (TT-3  and  TIC-3), 

In  this  manner,  two  single  point  failures  which  could  cause  product 
freezing  in  the  Storage  Tank  would  be  eliminated. 

(4)  Consideration  should  be  given  to  the  possibility  of  employing 
a temperature  control  system  for  the  long  steam  traced  lines.  It  has 
been  assumed  in  the  system  analysis  that  the  normal  operation  of  steam 
traces  would  result  in  acceptable  product  temperatures.  This  area 
should  be  investigated  during  the  remaining  portion  of  the  design 
program  from  the  standpoint  of  maximizing  reliability, 

(5)  When  operating,  cleanup,  and  maintenance  procedures  are  written, 
particular  emphasis  should  be  placed  upon  avoiding  the  accidental  intro- 
duction of  organic  materials,  such  as  oil,  grease,  etc.  into  the  process 
flow.  The  small  scale  introduction  of  such  contaminants  could  signifi- 
cantly increase  the  likelihood  of  an  initiation  being  sustained  into  a 
localized  fire,  whereas  massive  contamination  of  process  materials  would 
set  up  a serious  explosion  potential  (Sprengel  explosive) . 
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(6)  During  the  cleanup  of  the  impedance-heated  transfer  line, 
power  to  the  heating  units  should  be  cut  off.  A protective  covering 
should  be  placed  over  exposed  electrical  wires  and  other  equipment  to 
reduce  the  likelihood  of  corrosive  damage  (shorts,  etc.)  occurring 

as  a result  of  sloppy  cleanup  procedures. 

(7)  Should  a high  product  temperature  be  indicated  in  the  impedance- 
heated  transfer  line,  it  is  recommended  that  the  power  to  the  particular 
heating  unit  be  immediately  cut  off  while  maintaining  constant  product 
flow.  Insnediately  stopping  the  product  flow  (via  pump  shutdown)  would 
increase  the  likelihood  of  an  initiation  occurring  in  localized  hot 
spots. 

(8)  It  is  understood  at  this  time  that  Holston  is  considering  the 
use  of  concrete  boxways  and  steel  pipe  supports  in  replacement  of  currently 
existing  wooden  supports.  Installing  the  transfer  lines  in  a concrete  box- 
way  (steel  supports)  would  reduce  the  likelihood  of  a fire  occurring  as  a 
result  of  a leak.  Contact  between  the  process  materials  and  organic 
materials  (wooden  pipe  supports  or  organic  pipe  insulation)  could  result 

in  spontaneous  combustion. 

(9)  Based  o->  explosive  propagation  (critical  diameter)  test  results, 
it  is  recommended  that  the  4”  diameter  pipe  proposed  to  connect  the  new 
storage  tank  and  new  pump  house  not  be  employed.  If  a single  3”  pipe 

is  not  feasible,  from  a production  standpoint,  two  parallel  pipes 
(diameter  ^ 3")  are  recommended  in  place  of  the  single  4"  pipe.  In 
this  manner,  the  likelihood  of  an  explosion  propagating  between  the 
new  pump  house  and  storage  tank  is  significantly  reduced. 


I.  PRELIMINARY  HAZARDS  ANALYSIS 


A.  Process  Survey 

The  process  survey  phase  of  the  program  consisted  of  an  in-depth 
review  of  available  design  drawings,  manufacturers*  literature,  etc., 
in  order  to  become  intimately  familiar  with  the  proposed  system,  so 
that  system  failure  could  be  defined  in  terms  of  fire/explosions  and 
reliability.  Failure  rates  of  system  components  such  as  pumps,  valves, 
sensors,  controllers,  etc.,  were  determined  using  sources  such  as  manu- 
facturers' specifications,  and  established  data  banks  of  FARADAW  and 
ROME. The  data  sources  were  adequate  to  define  the  system  reli- 
ability and  thus  alleviate  the  need  for  any  additional  component  failure 
rate  testing.  Individual  component  failure  rates  are  discussed  in  more 
detail  under  ^action  IV,  Risk  Analysis,  of  this  report. 


B.  Logic  Model 

The  background  obtained  in  the  process  survey  and  the  assistance  of 
HDC  engineering  pe-L'sonnel  provided  the  data  baseline  for  the  construction 
of  the  system  logic  model. 


This  technique  is  a recognized  means of  augmenting  the  pre- 
liminary hazards  analysis  by  serving  as  a useful  tool  in  an  in-depth 
evaluation  of  the  system  by  defining  all  credible  failure  modes  of  the 
system,  whether  they  be  from  huma",  electrical,  or  mechanical  causes  or 
from  normal  or  abnormal  system  statee.  The  logic  model  also  provides 
the  basic  method  for  analyzing  the  inti-rrelationships  among  the  various 
components  of  the  system.  The  logic  model  can  also  function  as  a useful 
troubleshooting  guide  for  HDC  in  the  event  of  system  failure,  particu- 
larly in  the  control  systems,  by  idcitifying  thu  systems  failure  area 
on  the  model  and  determining  what  the  immediate  cause (s)  or  underlying 
cause <s)  are  that  contribute  to  the  aystems  failure,  thus  helping  to 
pinpoint  the  specific  component (s)  failure. 


The  logic  model  begins  with  the  top  undesired  event  "no  product 
from  both  Tank  Farms"  and  proceeds  through  logical  steps  (gates)  back- 
wards through  the  system  to  the  existing  pumphouse  at  the  beginning 
of  the  process.  By  constructing  the  model  in  this  manner,  each  com- 
ponent of  the  system  can  be  evaluated  separately  in  tMnns  of  either 
its  own  failure  or  the  itm&edlate  causes  that  would  contribute  to  the 
failure  of  the  component.  This  technique  results  in  an  in-depth 
systems  failure  logic  that  is  extremely  comprehensive  and  provides 
for  an  accurate  account  of  all  credible  failures  and  failure  causes 
of  all  system  components. 


The  basic  symbols  used  in  the  construction  of  the  logic  model 
consist  of  logic  gates  such  as  "and,”  "or,"  and  "inhibit"  gates  and 
event  representations  such  as  circles,  rectangles,  diamonds,  and 
houses.  These  basic  symbols  are  described  in  Table  I-A  and  the  logic 
diagram  itself  is  shown  in  its  entirety  in  Appendix  A.  To  present 
the  model  in  convenient  form  for  inclusion  in  this  report,  the  author 
relied  heavily  on  the  use  of  the  transfer  symbol.  This  device  facili- 
tates the  transfer  of  information  from  one  section  of  the  model  to 
another. 


The  model  depicts  two  major  failure  areas  that  are  of  primary 
importance  to  the  overall  analysis  of  the  system:  (1)  loss  of  pro- 

duction or  systems  damage  resulting  from  material  initiation,  fire 
or  explosions,  and  (2)  loss  of  operation  due  to  human  or  component 
failures. 


C.  Qualitative  Analysis 

In  the  qualitative  sense,  the  logic  diagram  consists  mostly  of 
"or"  gates  and  "inhibit"  or  "sensitivity"  gates.  Any  single  failures 
linked  to  the  top  event  through  "or"  gates  will  cause  the  top  event  to 
occur.  For  example,  failure  of  TIC-3  (page  Q3  of  logic  model)  will 
result  in  failure  of  the  system  and  cause  the  top  undesired  event  to 
occur.  Over  one  hundred  single  factor  failure  modes  were  identified 
from  the  logic  model.  The  failures  Identified  from  the  logic  model 
consist  of  mechanical  or  electrical  components  and  human  factors 
such  as  falling  to  perform  functions  correctly  or  doing  something 
at  the  wrong  time.  There  are  also  many  failures  that  are  common  to 
both  the  fire/explosion  and  reliability  failure  modes  such  as  a pump 
impeller  failure.  This  aspect  of  the  analysis  is  discussed  in  more 
detail  in  Section  IV  of  this  report. 


The  failure  logic  developed  for  loss  of  production  or  eys:;„i2  da<nage 
resulting  from  material  initiation,  fire  or  explosion,  consists  of  system 
states  that  are  directly  related  to  component  failures,  human  error,  and 
normal  plant  operation.  Initiation  potentials  of  impact,  friction, 
thermal,  and  impingement  are  identified  for  these  system  states  and  have 
been  developed  to  their  fundamental  causes.  As  an  example,  a listing 
of  the  identified  potential  initiation  modes  associated  with  the 
operation  of  a process  pump  is  shown  in  Table  I-B.  All  of  the  poten- 
tial initiation  modes  for  each  piece  of  equipment  require  an  engineer- 
ing analysis  to  determine  ultimate  safety  margins  and  initiation  prob- 
abilities. 
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TABLE  I -A 

LOGIC  STMBOLOGY  AND  DEFINITIONS 


LOQIC  OPERATIONS 


OUTPUT 


INPUT 


"Or”  t«t**  dtfiM  tlM  Ntuatlen  wlwraby  th« 
output  yvont  will  Mitt  if  OM  or  OMro  of  tiM 
input  tVMtt  MilL 


OUTPUT 


$ 

INPUT 


“And”  gatM  dateriba  tM  lot  leal  oparatlon 
wlitraby  all  input  avanlt  luwa  to  occur  itatub 
tanaouily  to  product  tbo  output  avoiit. 


OUTPUT 


INPUT 

CVENV  REPRESENTATIONS 


"Inhibit"  or  "ScniltNity"  fata*  dawriba  a cauial 
ralatlonihip  batwaan  one  avant  and  another, 

Tha  Input  avant  directly  producat  tha  output 
avant  if  iba  Indicatad  eondltion  it  utitfltd. 


Boact  repratant  avantt  which  arc  UMtlly 
onprattad  at  a fallurt  that  rotullt  from  tha 
eemblnatlon  el  fault  tvoau  UutMipb  tha  input 
ioflc  tapa. 


DItmondi  rcpraiant  fault  aaonli  that  arc  eoniMarad 
baile  and  define  the  limit  of  ratelullon.  The  pottibla 
cauHi  of  the  avant  arc  not  davalopad  alUiar  bacauM 
tha  avant  It  of  Inuiiilctani  oonioduanca  or  bacauM 
tha  nacauary  Infermation  la  not  avallabia. 


CIrtlat  rtpraiani  baiia  fault  avantt  or  prOrwiir 
faliuiot  Ihii  raouira  no  further  devaiepmant 
Praquancy  and  mode  el  faNurt  o(  Itama  to 
Identified  am  daalvad  ftem  lotit  ea  ahltUna 
data  bonkt. 


■A 

OUT>^RAaiU«ll 


•IMUARITV  TRANEPCR 


Houiat  lapraMnt  ovanit  that  are  iwimBl^  anpaetad 
to  occur  tueb  at  air  baltid  pmtiat  outatda  OBOratlm 
vcftalt. 


inf ormatton  ttem  eno  loitlid  el  WM  dladiani  le 
anoUioa. 


TABLE  I-B 

POTENTIAL  INITIATION  MODES  OF  A PROCESS  PUMP 


Initiation  Mode 

Description  of  Event 

1. 

Friction 

Mechanical  seal  rubbing  during  startup/shutdown 

2. 

Thermal 

Frictional  heating  in  seal  area 

3. 

Friction 

Impeller  rubs  pump  housing 

4. 

Impact 

Impeller  Impacts  pump  housing 

5. 

Friction 

Impeller  rubs  foreign  object 

6. 

Impact 

Impeller  Impacts  foreign  object 

7. 

Friction 

Impeller  rubs  layered  process  solids 

8. 

Thermal 

Shear  heating  of  confined  Material 

9. 

Impingement 

Low  material  level  in  pump 

10. 

Friction 

Removal  of  contaminated  flange  bolts 

11. 

ESD 

Charge  buildup  on  ungrounded  operator 

12. 

Impact 

Operator  drops  nut,  bolt,  tool  Into  contaminated  area 
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The  use  of  the  "inhibit"  or  "sensitivity"  gate  provides  a means 
of  logically  illustrating  the  in-process  conditions  that  have  to  be 
satisfied  in  order  for  the  failure  logic  to  pass  through  the  inhibit 
gate.  For  example,  on  page  LI  of  the  logic  model  for  the  development 
of  the  fire/explosion  logic  for  a process  pump,  the  impact  energy 
available  due  to  the  pump  impeller  hitting  the  pump  housing  must  be 
compared  to  the  sensitivity  of  the  material  to  determine  the  prob- 
ability of  an  initiation  occurring. 


The  excerpt  from  the  logic  diagram  in  Figure  I-a  illustrates  the 
use  of  the  "inhibit"  gate.  This  gate  facilitates  the  computation  of 
the  probability  of  the  occurrence  of  A which  is  the  product  of  B and 
C probabilities.  The  probability  of  B naturally  depends  upon  the 
failure  logic  below  it  and  is  eventually  keyed  in  to  the  probability 
of  the  component  failures  that  contribute  to  B occurring,  while  the 
probability  of  C depends  upon  the  results  of  the  material  response 
test  and  the  in-process  impact  energy.  More  explanation  of  the 
"inhibit"  gate  and  how  the  various  inputs  are  developed  is  given  in 
this  report. 


The  analysis  and  construction  of  the  logic  model  for  the  reli- 
ability analysis  are  analogous  to  that  of  the  fire/explosion  already 
discussed  except  there  are  no  sensitivity  gates  for  this  analysis. 
This  analysis  yielded  over  100  modes  whose  existence  would  lead  to  a 
no-product  condition.  These  failure  modes  were  distributed  between 
mechanical,  electrical,  and  human  errors.  How  each  of  these  com- 
ponents is  evaluated  and  their  impact  on  the  system  reliability  will 
be  discussed  in  Section  IV. 


Figure  X-e.  Excorpe  ifroo  Logic  Model 

; 
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II.  MATERIAL  RESPONSE 


This  section  of  the  report  presents  the  fire  and  explosion  charac- 
teristics of  the  ammonium  nitrate /nitric  acid  (AN/NA)  material  which  will  be 
present  in  the  transfer  facility.  The  sensitivity  data,  expressed  in 
engineering  terms,  sunnarized  in  this  section  will  be  employed  in  the 
Engineering  Analysis  and  Hazards  Evaluation  (Section  III)  to  determine  the 
safety  margin  associated  with  each  potentially  hazardous  operation  and  in 
the  Risk  Analysis  (Section  IV)  to  determine  overall  hazard  probabilities. 
Also  Included  in  this  section  is  a discussion  of  the  explosive  charac- 
teristics of  AN/NA  in  terms  of  its  ability  to  transit  to  an  explosion  when 
exposed  to  a flame  stimuli,  as  well  as  its  ability  to  propagage  an  explosive 
reaction. 


A.  Ammonium  Nitrate/Nitric  Acid  Sensitivity 

Most  of  the  sensitivity  data  on  ammonium  nitrate /nitric  acid  (AN/NA) 
employed  analysis  was  either  generated  during  recently  coi^leted 

programs  Holston  or  were  available  from  the  Hercules  data  files. 

A summary  of  all  of  the  sensitivity  data  employed  in  the  analysis  is  pre- 
sented in  Table  II-A. 


Both  the  AN  powder  and  AN/NA  solution  were  found  to  be  relatively 
insensitive  to  the  standard  forms  of  initiation,  except  in  the  case  of 
electrostatic  discharge.  In  fact,  no  it  act  or  friction  Initiation  cotild 
be  detected  even  when  the  highest  energy  levels  available  on  the  testing 
apparatus  were  employed.  An  amaonlum  nitrate/oll  mixture  (95/5)  vaa 
evaluated  in  the  belief  that:  (1)  oxidizer/organic  mixture  would  be  a more 

sensitive  mixture  than  the  ammonium  nitrate  by  itself,  and  (2)  such  a 
mixture  could  be  present  in  the  facility  during  maintcnance/cleanup  of 
pumps,  etc.  However,  the  sensitivity  levels  of  oven  this  mixture  were  by- 
yond  the  capabilities  of  the  test  apparatus,  except  for  BSD  i^ra  the  TIL 
dropped  from  5 joules  to  0.5  joules  due  to  the  presence  of  the  oil.  This 
difference  is  not  viewed  as  being  highly  significant,  testing  of  the  solid 
AN/NA  mixture  (unheated)  was  not  deemed  necessary  due  to  the  relative 
Inaenaitlvity  exhibited  by  pure  AN  and  the  AK/oil  mixture. 


The  impact  sensitivity  data  on  the  AN/NA  solution  i«  expressed  in 
Table  II-A  in  terms  of  an  energy  rate  (ft-lb/sec).  Prom  Hercules'  extensive 
research  in  explosive  testing,  it  has  teen  found  that  energy  rate  is  the 
engineering  term  which  best  describes  the  stimulua/reaction  characteristic 
for  impact  initiation  of  liquids  and  slurries.  For  the  Impact  iniclatlon 
of  Solids,  in  this  case  AN,  the  test  engineering  texwt  has  been  found  to  be 
energy  per  area  (ft«lb/ln^). 
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Because  safety  margins  (and  initiation  probabilities)  are  directly 
based  upon  material  response  data,  it  is  necessary  for  exact  sensitivity 
data  to  be  available  if  quantitative  safety  margins  are  to  be  calculated. 
Since  the  impact  and  friction  sensitivity  data  on  the  annponium  nitrate 
and  AN/NA  solution  are  expressed  as  "greater  than"  values,  it  will  be 
impossible  in  the  hazard  analysis  to  define  exact  safety  margins  and 
quantitative  probabilities.  This  subject  will  be  discussed  in  greater 
detail  in  Section  II-E  below. 


From  the  standpoint  of  electrostatic  (ESD)  initiation,  the  AN/NA 
solution  was  found  to  be  slightly  more  sensitive  than  the  AN/oil  mixture 
and  significantly  more  sensitive  than  AN  powder.  The  AN/NA  solution  was 
tested  at  AO^C,  the  approximate  process  temperature,  whereas  testing  on 
the  AN  and  the  AN/oil  mixture  was  performed  at  ambient,  simulating  clean- 
up conditions. 


At  the  highest  level  of  the  impingement  testing  apparatus,  no  Initiation 
was  detected.  This  corresponds  to  a threshold  initiation  level  of  >750 
ft/sac. 


The  tliomal  stability  of  the  process  materials  must  bo  fully  charac- 
torizod  in  order  to  accurately  assess  potential  cooK-off  hagard.s  wjiich 
may  exist  in  the  facility  (e.g.,  pump  seal,  heated  transfer  line,  etc.) 
"n^e  decomposition  cemperactire  tor  pure  AN  is  reported  in  the  llceratuie 
to  be  between  230  and  2b0*^C. 


In  a recently  cs^tnplcted  program^^^.  a !)SG  trace  was  rvin  on  an  AN/oi  i 
ture  (95/5)  to  doCemine  wh.at  effect,  if  .any,  the  presence  of  a small  atatfmnt 
of  organic  material  wovdd  have  on  the  chertaal  st.ahilUy  of  atnmonium  lutrate. 

In  this  test,  docJiw^KJSlClon  occurred  Just  slightly  above  260*^,  wMch 
Indicated  that  the  ovgwic  material  had  no  significant  effect  njKjn  AN  stability. 
The  same  results  were  observed  wl»e«  nitric  acid  was  added  to  the  AN/oil. 

TIiosc  results  are  applicable  to  the  Transfer  system  since,  during  maintenance/ 
cleanup,  organic  material  such  as  oil  could  be  introduced  into  tlte  process 
accidentally. 


From  the  therm.il  data  it  can  be  concluded  that  significant  decoesposition 
of  AN  tsay  be  expected  to  occur  In  the  process  shtnjld  temperatures  in  excess 
of  2S0®C  exist.  Decotapositlon,  defined  as  the  gcreration  of  gases,  should 
not  result  In  a fire,  since  pure  AN  will  act  tnim.  The  burning  characteristics 
of  AN  are  tiuscussed  in  the  next  section.  Although  AN  or  A2^/NA  will  not  Ixim 
wlien  initiated,  it  is  reported'^®'  that  AN/oil  mixtures  ("Sprongel  explosive") 
are  capable  of  burning  and  sustaining  a transition  to  enploslon. 
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The  gases  fonoed  during  Che  decomposition  of  the  AN  may  include  highly 
reactive  oxidizers,  such  as  N20^.  At  the  relatively  high  temperatures 
required  for  significant  AN  decomposition  to  occur,  such  gases  should  react 
violently  with  any  fuels  with  which  they  may  come  in  contact.  This  again 
points  out  the  importance  of  keeping  oil,  grease,  and  other  fuel  contaminants 
out  of  the  process  flow. 


B.  Sustained  Burning  Results 

An  infrared  analyzer  ("LIRA")  was  employed  in  the  sensitivity  testing 
to  detect  when  an  initiation  (decomposition)  occurs.  If  the  hazards 
analysis  were  based  on  this  data  alone,  a highly  conservative  analysis  would 
result  since  it  would  be  incorrectly  assumed  that  all  initiations  (decomposition) 
result  in  an  Incident  (fire).  To  determine  the  likelihood  of  an  initiation 
being  sustained  into  a fire,  sustained  burning  tests  were  performed  cm  the 
AN  and  AN/NA  materials  as  part  of  the  recently  completed  D.Bollding  analysis. 


It  was  found  that  neither  the  AN  nor  AN/NA  materials  sustained  a fire 
when  ignited  by  a highly  energetic  thermite  igniter.  By  comparing  the 
energy  required  for  initiation  (threshold  initiation  level)  determined  from 
the  sensitivity  testing,  to  the  energy  released  from  the  igniter  during  the 
burning  tests,  on  energy  ratio  can  be  calculated,  Tttis  ratio  Is  used  in 
this  analysis  as  a rough  estitoate  as  to  the  probability  of  an  initiation 
sustained  into  a fire.  For  AN  powder  and  AN/NA  mixture,  this  probability  is 
calculated  to  be  quite  low,  about  lO*^. 


A discussion  of  the  test  itqulpesjnt  and  preceduves  employed  in  these  tests 
is  Included  in  ttce  Experimental  Section  (Appetulix  B) . 


Tt»esH3  test  results  are  supported  by  theoretical  adiabatic  fl<j^  temperature 
calculations  AN  (Appendix  D)  at>d  Bureau  of  Kines  burning  tests' perforttod 
on  pure  AN,  As  noted  earlier,  AN  cotitaminaied  with  oil  is  reported  to  be 
capable  of  sustain iug  a fire. 


’transit  iop.*to.Explosio*:» 

(but  extremely  u^rtant  aspect  of  material  response  testing  is  to  deteemltve 
how  tt^e  AN/NA  materials  behave  under  flame  conditions  at  various  material  con> 
fincments,  Itte  transition  tests  were  ccnductcd  to  determine  the  material 
height  and  confinctaent  conditions  requited  for  the  liquid  and  solid  (frosen) 
AN/KA  materials  to  promote  growth  from  an  ignlticn  stimulus  to  a traositi&g 
explosive  reaction.  A typical  tost  setup  is  shown  in  Figure  II>a.  the 
results  of  the  transition  testing  arc  summarized  in  Table  Il-B. 


The  results  Indicate  chat  should  a fire  develop  in  the  transfer  system, 
the  process  materials  would  not  readily  support  a transition  Co  explosion. 
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Figure  n 


Transition  Test  Set-Up 


inqRjj^BW  |^r-.-i^,l.liilJJ4!J.liiBI!WJW!B»l!Rff*WWW!B?^ff 


No  transition  was  observed  in  any  of  the  '■;  sts  r"inr  a 4"  diameter 
Schedule  40  pige  at  a material  hei.^ht  of  24"  in  <_he  pipe.  Tests  were 
run  at  both  70  F (solid)  and  100  ■ (liquid)  to  represent  cleanup  and 
operating  conditions  respectively. 


These  results  are  in  agreement  with  previously  completed  transition 
test  performed  at  this  laboratory  on  several  grades  of  solid  AN.  In 
these  tests,  no  transition  was  observed  in  2"  and  4"  diameter  pipes 
containing  up  to  48"  of  solid  AN. 


TABLE  II-B 

TRANE IT iON  TEST  RESULTS 


Test 

Temper  'ture 

Confined 

Diameter 

Confined 
He ight 

Results 

AN/NA  liquid 

• 00°F 

4" 

24" 

Nc  reaction 

i00°F 

4" 

24" 

No  reaction 

100°F 

4" 

24" 

No  reaction 

AN/NA  solid 

7QOp 

4" 

24" 

No  reaction 

7Q0F 

4" 

24" 

No  reaction 

70°F 

4" 

24" 

No  reaction 

D.  Explosive  Pi'opagation 

Propagation  tests  v’ere  performed  on  the  AN/NA  mixture  to  establish 
the  critical  diameter  below  which  the  material  would  not  propagate  an 
explosive  reaction  when  exposed  to  a det'-,natiou  shock.  The  results  of 
these  tests  are  used  in  determining  overall  system  risk,  in  terms  of  an 
explosion  in  one  area  of  the  facility  propagating  into  other  areas. 


The  test  results,  summarized  in  Table  II-C,  indicate  that  the  critical 
diameter  of  the  confined  AN/NA  material  is  between  3"  and  4".  That  is,  an 
explosion  occurring  in  a 3"  diameter  pipe  in  the  transfer  system  will  not 
propagate  along  the  pipe  whereas  4"  diameter  pipe  containing  AN/NA  will 
support  an  explosive  propagation. 


There  is  only  one  area  in  the  facility,  as  currently  designed,  which 
will  contain  piping  >3"  diameter.  This  is  the  process  piping  connecting 
the  new  storage  tank  with  the  new  pump  house.  By  employing  a 3"  diameter 
pipe  (or  possibly  two  smaller  pipes)  in  place  of  the  4"  pipe,  the  pro- 
bability of  au  explosion  propagating  through  this  pipe  would  be  greatly 
reduced. 
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TABLE  II-C 


EXPLOSIVE  PROPAGATION  (CRITICAL  DIAMETER)  TEST  RESULTS 


Material 

Test 

Temperature 

(°0 

Critical 

Diameter 

(inch) 

Results 

AN/NA 

100 

2 

No  propagation 

II 

100 

3 

No  propagation 

U 

100 

3 

No  propagation 

SI 

100 

3 

No  propagation 

If 

100 

4 

Propagation,  small  pipe  pieces 

F,,  Initiation  Probabilities 


Material  response  data  must  be  treated  statistically  (i.e.,  "what  is 
the  probability  of  an  initiation  at  certain  input  energy  levels?")  so 
that  material  response  in  probabilistic  terms  can  be  applied  to  the  logic 
model  at  the  "inhibit"  gates  to  facilitate  a quantitative  analysis  of  the 
system  logic  model.  Normally,  sensitivity  data  are  plotted  on  probability 
paper  showing  the  probability  of  initiation  (percentage  of  shots)  as  a 
function  of  the  amount  of  stimuli  input  to  the  test  material;  the  higher 
the  energy  input,  the  higher  the  percentage  of  shots. 


This  statistical  technique  has  only  a limited  application  to  the 
ammonium  nitrate  or  AN/nitric  acid  test  data  since  initiations  were  not 
detected,  even  at  the  highest  energy  test  level,  when  these  materials  were 
exposed  to  impact  and  friction  stimuli.  Only  in  the  case  of  ESD  stimuli 
were  initiations  at  different  test  levels  detected.  Thus,  in  cases 
involving  impact  c/  friction  process  conditions,  exact  initiation  pro- 
babilities (as  well  as  safety  margins)  could  not  be  accurately  established. 


In  cases  where  in-process  impact  or  frictional  energies  are  higher  than 
the  maximum  energy  level  available  from  the  test  apparatus,  it  is  assumed 
in  the  analysis  that  an  initiation  probability  of  1.0  would  exist  (with  no 
safety  margin  existing) . In  cases  where  in-process  energies  are  lower 
than  the  maximum  test  level,  initiation  probabilities  are  estimated, 
assuming:  (a)  the  threshold  Initiation  level  (TIL)  of  the  material 

corresponds  to  the  maximum  test  level,  and  (b)  the  relationship  between 
percentage  of  shots  and  energy  levels  (i.e.,  the  "probit  slope")  is 
similar  to  that  of  other  explosives,  such  as  RDX.  A line,  with  this  probit 
slope,  is  drawn  through  the  data  point  corresponding  to  the  assumed  TIL  of 
the  material.  The  assumptions  employed  in  the  estimation  of  initiation 
probabilities  are  viewed  as  being  conservative  in  nature  in  the  sense  that 
actual  initiation  probabilities  are  likely  to  be  less  than  those  presented 
in  this  report. 


III.  ENGINEERING  ANALYSIS  AND  HAZARDS  EVALUATION 


A,  Introduction 

The  objective  of  this  evaluation  is  to  determine  quantitative  safety 
margins  associated  with  each  potentially  hazardous  operation  (normal  and 
abnormal)  of  the  facility,  A safety  margin,  defined  as 

required  (material  response)  energy  - 1, 
available  (in-process)  energy 

is  useful  in  pointing  out  those  situations,  among  all  of  the  potentially 
hazardous  events,  which  are  likely  to  be  more  hazardous  than  others  if 
they  were  to  occur.  However,  in  order  to  assess  each  potential  hazard 
in  terms  of  risk  (expected  loss) , each  event  must  be  evaluated  on  a 
probabilistic  basis.  Such  a probabilistic  study  has  been  performed  and 
these  results  are  presented  in  Section  IV,  Risk  Analysis. 


B.  Summary  and  Conclusions 


The  hazards  analysis  identified  several  operations  (normal  and  abnormal) 
where  no  or  only  marginal  safety  margins  exist.  These  situations  involve, 
for  the  most  part,  operation  of  the  process  pumps  where  extreme  in-process 
energies  are  capable  of  being  generated.  Under  these  conditions,  the 
material  response  data  are  such  that,  due  to  the  relative  insensitivity 
of  the  process  materials,  it  can  not  clearly  be  demonstrated  that  a safety 
margin  exists.  The  likelihood  of  an  initiation  of  AN  or  AN/NA  being 
sustained  into  a fire,  as  discussed  in  Section  II,  is  quite  small.  Should 
a fire  occur  in  the  system,  it  is  concluded  from  the  transition-to- 
explosion  test  data  that  the  incident  would  not  normally  develop  into  an 
explosion. 


A detailed  discussion  of  the  Engineering  Analysis  and  Hazards  Evaluation 
performed  on  the  system  is  presented  below.  The  incident  probabilities 
associated  with  the  potentially  hazardous  events  identified  in  this  analysis 
were  determined  as  part  of  the  Risk  Analysis  portion  of  this  program. 


C.  Analysis  of  Subsystems 

The  ammonium  nitrate/nitric  acid  storage  and  transfer  system  basically 
consists  of  two  separate  Tank  Farms  (three  tanks  each)  which  are  both  fed 
by  a 3”  diameter,  impedance -heated  transfer  line.  Several  pximps  (in 
parallel)  which  feed  the  transfer  line,  are  supplied  with  product  from  a 
20-foot  dia^-i  .er  storage  tank.  Material  is  pumped  into  rhe  storage  tank 
via  the  existing  pumphouse,  containing  two  parallel  pumps.  To  maintain 
the  product  temperature  above  its  freezing  point,  the  transfer  line  la  | 
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impedance  heated  and  the  other  connecting  piping  is  steam  traced.  The 
storge  tank  is  equipped  with  a heat  exchanger  (as  well  as  an  auxiliary 
bayonet  steam  heater) , each  of  the  six  tanks  at  the  tank  farms  has  its 
own  steam  bayonet  heater,  and  the  existing  and  new  pumphouses  are  steam 
heated.  All  tanks  and  lines  are  insulated  with  CaSi02. 


1.  Process  Pumps 

At  the  present  design  stage  of  the  facility,  the  selection  of  a 
particular  pump  model  to  be  employed  in  the  new  pumphouse  has  not  been 
made.  Analysis  of  the  two  candidate  pumps,  Durco  Sealmatic  and  Wilfley, 
indicate  that  similar  in-process  energies  would  exist  for  the  operation 
of  the  two  pumps.  Thus,  safety  margins  are  concluded  to  be  similar. 

However,  it  is  impossible  to  calculate  quantitative  safety  margins  for 
many  of  the  potentially  hazardous  abnormal  situations  which  may  occur 
during  the  pumping  of  the  AN/NA  material  since  exact  frictional  and  impact 
energy  levels  at  which  this  material  (or  solid  AN)  will  initiate  could 
not  be  determined.  From  previous  material  testing,  as  noted  earlier, 
solid  AN  and  the  AN/NA  material  have  been  found  to  be  relatively  insensitive 
to  impact  and  friction  stimuli.  The  energy  levels  at  which  the  materials 
initiate  are  beyond  the  energy  test  level  of  the  laboratory  test  equipment. 


The  in-process  potentials  associated  with  the  centrifugal  pumping 
operations  are  relatively  high  and,  for  the  most  part,  beyond  the  capability 
of  the  laboratory  test  equipment.  A valid  analytical  technique,  applicable 
to  the  frictional  hazards  evaluation  of  most  pumps,  is  to  extrapolate  the 
material  response  data  obtained  at  several  lower  velocities  to  cover  a 
higher  range  (corresponding  to  impeller  or  shaft  speeds).  This  technique 
is  not  possible  in  this  particular  evaluation  since  the  required  pressure 
levels  at  the  lower  velocities  are  beyond  the  capability  of  the  test 
equipment.  A similar  situation  exists,  in  this  particular  case,  for  impact 
stluations  such  as  impeller /pump  housing  or  foreign  object. 


Thus,  quantitative  safety  margins  can  not  be  calculated  for  many 
of  the  potential  hazards  involved  in  the  pumping  operation.  In  such  cases, 
it  has  been  conservatively  assumed  in  this  analysis  that  no  safety  margins 
would  exist.  These  situations  include: 

(1)  Friction  or  impact  between  impeller  (repeller)  and  housing 

(2)  Friction  or  impact  between  impeller  (repeller)  and  foreign 
object 

(3)  Friction  between  impeller  and  deposited  AN 

(4)  Rubbing  between  mechanical  seal  surfaces 
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In  the  above  situations,  where  no  safety  margins  are  concluded  to  exist, 
the  probability  of  a fire  occurring  in  the  pump  will  depend  upon  the 
probability  of  the  initiating  event  occurring  (normal  or  abnormal)  and 
the  probability  of  the  initiation  being  sustained  into  a fire.  Of  the 
situations  listed  above,  only  the  one  involving  rubbing  at  the  mechanical 
seal  will  be  a normal  condition. 


For  the  Durco  and  Wilfley  pumps,  rubbing  at  the  mechanical  seal 
interface  will  only  occur  during  pump  startup  and  shutdown,  assuming  the 
pumps  are  operating  as  designed.  During  shutdown,  contact  at  the  Durco 
pump  seal  begins  when  the  power  to  the  pump  is  cut  off  (via  solenoid 
interlock)  whereas  for  the  Wilfley  pump,  seal  contact  does  not  occur  until 
the  rotating  speed  of  the  impeller  has  slowed  (via  mechanical  governor 
and  spring).  In  the  analysis  of  both  pumps,  it  has  been  assumed  that 
velocities  at  the  seal  interfaces  during  contact  correspond  to  the  maximum 
operating  velocity  of  each  pump. 


Since  the  mechanical  pump  seals  will  not  be  flushed,  solid  AN 
should  gradually  build  up  in  the  seal  area.  Rubbing  in  the  seal  area  re- 
presents both  a frictional  and  thermal  initiation  hazard.  The  frictional 
in-process  potential  is  22,000  psi  at  14  ft/sec  for  the  Durco  pump,  this 
pressure  corresponding  to  the  compression  yield  strength  of  the  carbon 
insert^^^^.  For  the  Wilfley  pump,  an  in-process  potential  of  3,000  pel 
(teflon  yield  strength)  at  14  ft/sec  would  exist.  The  available  material 
response  data  on  AN  Indicate  that  the  initiation  level  is  >120,000  psi 
at  8 ft/sec.  these  data,  a safety  margin  can  not  be  calculated. 

Previous  work'^^'at  this  laboratory  on  mechanical  pump  seals  has  indicated 
that  high  temperature  (>  200®C)  can  rapidly  develop  in  on-flushed  seals, 
which  will  be  the  case  here.  Ammonium  nitrate  begins  to  decoo^se  around 
230°C,  based  on  DSC  data  generated  at  this  laboratory  and  reported  in  the 
literature  (Section  II),  Tims  it  is  concluded  that  decomposition  of  AN 
will  normally  occur  in  the  mecltanical  seals  of  the  process  puaips  present 
in  the  facility. 


The  probability  of  a fire  occurring  in  the  seal  area,  as  a result  of 
friction  initiation  or  thermal  decomposition  of  the  AN,  is  regarded  as 
being  quite  low  based  on  burning  tests  performed  on  AN  and  AN/NA.  However, 
should  an  organic  contaminant,  such  as  oil,  be  present  in  the  pump  seal 
area,  the  chance  of  a fire  occurring  as  a result  of  AN  initiation  is 
such  greater . 


Based  on  the  transition-to-explosion  test  data  on  solid  AN  and  the 
AN/NA  material,  should  an  initiation  occur  in  a process  pump  and  be  sus- 
tained into  a fire,  the  fire  would  not  transit  to  an  explosion.  As  noted 
in  Section  II,  the  process  materials  were  found  not  to  exhibit  a transitioa 
capability,  under  the  test  conditions  examined. 
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2 .  Plug  and  Ball  Valves 

Durco  "sleeve line”  plug  valves  will  be  employed  in  the  pumphouse  and 
storage  tank  areas.  They  may  also  be  present  at  the  two  Tank  Farms,  although 
Jamesbury  ball  valves  are  also  possible  candidates  for  use  in  this  area. 


Comparison  of  the  in-process  energies,  which  may  occur  during  the 
normal  and  abnormal  operation  of  the  plug  and  ball  valves  to  the  material 
response  data  on  the  process  materials  indicate  positive  safety  margins  to 
exist.  This  is  attributed  to  the  relative  insensitivity  of  these  materials 
to  friction  stimuli  and  to  the  small  in-process  potentials  which  will  exist 
during  the  operation  of  these  valves. 


Comparing  the  two  valves,  Durco  plug  versus  Jamesburg  ball,  it  is 
concluded  that  similar  in-process  potentials  will  be  associated  with  the 
normal  and  abnormal  operations  of  each  valve.  This  is  due  to  their  close 
similarity  in  design,  materials  of  construction,  and  operation. 


3.  Globe  and  Pressure  Relief  Valves 


One  globe  valve  (split  body)  will  be  employed  at  each  of  the  six 
tanks  comprising  the  C-3  and  C-7  Tank  Farms  as  an  automatic  (air  actuated) 
level  control  valve.  In  addition,  each  tank  will  have  its  own  pressure 
relief  valve. 


Selections  of  particular  valve  models  Hava  not  boon  tadc  at  this 
particular  stage  of  the  facility  design.  Thus,  the  analysis  was  performed 
on  the  operation  of  globe  valves  and  relief  valves,  in  gennial. 


A comparison  of  In-proccss  potentials  to  material  response  data 
indicate  that  positive  safety  margins  will  exist  during  the  normal  and  aimort&al 
operation  of  the  globe  and  relief  valves.  Tills  can  ags.ln  be  attributed  to 
the  relative  inscnsltlvicy  of  the  process  materials  to  friction  and  impact 
stimuli  and  to  the  small  in-prot^ss  energies  associated  with  the  o^ration 
of  the  valves. 


As  discussed  earlier,  should  a fire  occur  in  one  of  these  valves, 
a transitlon-f.o-cxplosion  would  not  be  likely,  based  on  die  tranaition 
tests  perforojd  on  the  process  materials. 


4,  Heated  Transfer  Lines  (Electrically  and  Stcaaa  Heated) 

the  only  initiation  mode  cocxM>n  to  both  the  impedance-heated  and 
steam  traced  transfer  lines  is  thermal  initiation  of  ammonium  nitrate  re- 
aultlng  from  an  abnormally  high  heat  input  which  goes  uncorrected.  A 
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failure  in  either  type  of  heating  line  has  the  potential  to  cause  significant 
AN  decomposition,  although  a serious  fire  (or  e.cplosion)  hazard  would  only 
exist  if  the  process  materials  were  contaminated  with  organic  materials, 
such  as  oil.  The  system  failures  leading  to  the  presence  of  critically 
high  product  temperatures  and  their  associated  proabilities  are  evaluated 
in  Section  IV. 


Another  potential  hazard,  unique  to  the  operation  of  the  impedance- 
heated  transfer  line,  is  possible  ESD  initiation  caused  by  an  electrical 
-short.  Sufficient  ESD  stimuli  from  a shorted  heating  wire  would  be  available 
for  initiation.  However,  assuming  a short  does  occur,  process  materials  would 
not  normally  be  exposed  to  the  ESD  stimuli.  Pipe  rupture  or  poor  cleanup 
operations  are  two  inodes  by  which  such  exposure  could  occur.  The  probability 
of  a fire  or  explosion  occurring  under  such  abnormal  conditions  is  discussed 
in  Section  IV. 


An  additional  potential  hazard  associated  with  the  impedance -heated 
transfer  line  is  the  possibility  of  an  electrolytic  reaction  occurring 
inside  the  pipe  as  a result  of  current  flow^  through  the  AN/NA  solution 
inself.  Calculations,  based  on  reported^^^^  resistivity  values  for  the 
process  piping  and  AN/NA,  indicate  that  a relatively  small  current  ('-10“ 
amps)  will  pass  through  the  AN/NA  solution  during  normal  operations.  The 
nature  and  aoxiunt  of  gas(es)  liberated  as  a result  of  this  electrolytic 
reaction  can  only  be  determined  through  laboratory  testing  which  simulates 
actual  process  conditions.  Similar  tests  would  also  have  to  bo  performed 
to  determine  corrosion  and  product  degradation  effects.  This  testing  was 
deemed  outside  the  scope  of  the  present  analysis.  Because  the  current 
flowing  through  the  AN/NA  will  be  relatively  small,  only  minute  (if  any) 
amounts  of  gas  will  bo  evolved.  If  the  gases  were  flammable  and  wore, 
for  example,  to  gather  in  a downstream  storage  to)\k,  an  explosion  potential 
would  be  setup.  (An  ignititHi  source  would  be  necessary  before  an  explosion 
would  occur).  Once  the  nature  of  the  gas  evolution  has  been  determined, 
flammability  tests  on  Uio  gas  mixture  could  bo  performed  to  determine  if  the 
gases  represent  a fire  or  explosion  hazard. 


As  stated  earlier,  the  quantity  of  gas  formed  is  expected  to  be 
relatively  ^oall.  For  cxati^le,  assuming  hydorgen  were  evolved  as  a result 
of  the  current  flow,  approximately  70  of  gas  would  be  fottaed  during 
a 24-tiour  period. 


5.  Cleanup  Operations 

Only  general  cleanup  procedures,  such  as  the  disassembly  of  valve 
flanges,  were  evaluated  in  this  program  since  specific  or  detailed  procedures 
were  not  available  for  review. 


Under  normal  cleanup  conditions,  positive  safety  margins  were 
found  to  exist.  However,  under  abnormal  conditions  several  situations 
were  found  where  either  no  safety  margin  would  exist  or  where  it  was 
Impossible  to  calculate  a safety  margin,  due  to  the  nature  of  the 
material  response  data,  as  discussed  earlier.  Included  iji  this  latter 
category  are  such  abnormal  situations  as:  (1)  dropping  a tool  (wrench) 

onto  a contaminated  area,  or  (2)  stripping  a contaminated  flange  bolt. 
Included  under  the  former  category  is  the  possibility  of  charge  buildup 
on  an  ungrounded  person  resulting  in  the  ESD  Initiation  of  the  AN/NA 
material.  Under  this  abnormal  condition,  a maximum  in-process  potential 
energy  of  .09  joules  could  be  available,  compared  to  a threshold  initiation 
level  of  .075  joules  for  the  AN/NA  material.  The  overall  probability 
of  an  Incident  occurring  under  the  above  abnormal  cleanup  conditions  will 
be  discussed  in  Section  IV. 
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IV.  RISK  ANALYSIS 


A.  INTRODUCTION 

This  analysis  is  concerned  with  quantifying  the  risks  associated 
with  the  operation  of  the  ammonium  nitrate/nitric  acid  storage  and 
transfer  facility,  as  currently  designed.  In  this  analysis,  expected 
risk  has  been  divided  into  two  general  areas;  (1)  loss  of  operation 
due  to  system  failure  (reliability),  and  (2)  equipment  damage  and/or 
personnel  injury  (fire/explosion).  To  determine  overall  probabilities, 
a system  logic  model  was  constructed  and  simulated,  resulting  in  the 
identification  of  single  failures  or  failure  combinations  which  would 
result  in  an  undesired  event,  in  terms  of  reliability  or  fire/explo- 
sion. Once  identified,  each  critical  failure  mode  was  evaluated  to 
determine  the  probability  that  that  particular  mode  would  occur  during 
some  operating  time  period.  Each  of  these  probabilities  were  then 
summed  to  determine  the  overall  probability  of  failure. 


The  results  of  the  risk  analysis  are  summarized  below,  followed 
by  a detailed  discussion  of  the  analytical  techniques  employed  in 
the  analysis. 


B.  SUMMARY  AND  CONCLUSIONS 


1.  Ftre/E.^plosion  Ifctzards 

The  aivilysis  iitdicates  that  there  is  a 1.1  x 10*  probability 
of  a catastrophic  event  (explosion)  occurring  in  the  facility  during 
90  days  of  operation.  This  relatively  low  probability  is  attributed 
to  the  inability  of  the  process  materials  to  support  a transition-to- 
explosion  reaction  when  exposed  to  a flame  stimuli.  Contamination  of 
the  AN/KA  solution  with  large  amounts  of  organic  material,  such  as, 
oil,  grease,  etc.  could  set  up  an  explosive  potential  in  the  facility 
duo  to  the  in  Situ  formation  of  a Sprcngcl  explosive.  However,  a 
flacetc  (sustained  Initiation)  source  would  ctien  ttavc  to  be  available 
under  ttese  conditions  before  an  explosion  could  occur. 


Ttie  probable  location  for  an  explosion  in  the  facility 
is  at  the  Heat  Exciiangc  area.  Sapid  AN  decomposition  (gas  evolution) 
or  vaporization  of  nitric  acid  in  this  totally  confitied  area,  resulting 
from  abnormally  high  process  temperatures,  could  cause  the  buildup  of 
explosive  pressures.  By  monitoring  the  product  temperature  at  the 
Heat  Exchanger,  the  overall  probability  of  a catastrophic  event 
occurring  In  the  facility  would  be  reduced  by  several  orders  of  mag- 
nitude. 
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The  probability  of  an  incident  (fire)  occurring  during  90 
days  of  operation  has  been  determined  to  be  1.1  x 10“5.  This  low 
incident  probability  is  basically  due  to;  (1)  the  relative  insen- 
sitivity of  the  process  material  to  standard  forms  of  initiation,  and 
(2)  the  demonstrated  inability  of  the  process  materials  to  sustain  a 
burning  reaction  when  exposed  to  a highly  energetic  ignition  source 
(sustained  burning  probability  of  10""). 


Normal  rubbing  in  the  mechanical  seals  of  process  pumps  during 
shutdown  or  startup  contributes  over  90/i  to  the  1.1  x 10"^  incident 
probability.  For  both  the  DURGO  and  Wilfley  pump  models,  contact  in 
the  seal  area  will  only  occur  normally  during  startup  or  shutdown. 
During  such  contact,  sufficient  frictional  and  thermal  stimuli  will  be 
present  to  cause  AN  decomposition.  However,  due  to  the  low  sustained 
burning  probability,  a relatively  low  overall  incident  probability 
is  calculated. 


Other  situations  in  the  facility  were  found  to  be  likely 
sources  of  AN  initiation.  However,  these  conditions  were  all  abnormal 
(event  probability  < 1)  and  were  found  not  to  contribute  significantly 
to  the  overall  1,1  x 10"^  incident  probability.  Many  of  these  were 
associated  with  the  abnormal  operation  of  the  process  pumps  (impeller/ 
hou8ii\g  friction,  etc.)  where  relatively  large  in-process  potentials 
were  available. 


The  impedance  heated  3"  transfer  line  was  not  found  to  bo  a 
significant  contributor  to  the  overall  Incident  probability  associated 
with  the  proposed  operation  of  the  facility.  The  overall  probability 
of  a fire  occurring  in  the  line  as  a result  of  a thermal  initiatlot^  of 
the  AN  has  been  calculated  to  be  6.3  x lO"^^.  A heating  fallure(s) 

Would  have  to  occur  cud  go  undetected  before  sufficiently  high  product 
temperatures  to  cause  decomposition  would  be  available.  Ttte  resultant 
AN  initiation  would  have  a very  low  probability  of  being  sustained 
into  a fire,  unless  significant  amounts  of  organic  material  were  present 
In  tltc  process  strean. 


The  fire/cxploslon  Risk  Analysis  is  briefly  sutamarised  In 
Table  XV-A.  the  significance  of  the  analysis,  in  terms  of  possible 
design  modifications,  is  discussed  in  Section  V,  TYadeoiff  Study. 


Table  IV-A 


Process  Risk  Summary  - 

Fire/Explosion 

Overall 

Probability 

Incident(^) 

Catastrophe (2) 

Tank  Farms  (C-3  and  C-7) 

8.3  X 10‘® 

1.2  X lO’S 

Transfer  Line  (Electrically  Heated) 

8.3  X 10"1- 

8.3  X 10-16 

New  Pump  Rouse 

6.0  X 10*6 

6.0  X 10*12 

Storage  Tank  and  Heat  Exchanger 

l.l  X iU-6 

1.1  X 10-6 

Existing  Pump  House 

4.0  X 10’^ 

4.0  X 10-12 

Total 

1.1  X 10"5 

1.1  X 10*6 

(1)  IncldonC:  Fire  rcsuleiug  in  slight  eguipncnt  deakage  and/or 

minor  personnel  Injury. 

(2)  Catastrophe:  Explosion  resultit^g  in  major  cquipotent  damage 

and/or  severe  personnel  Injury. 


2.  Eq liability 


Tb  briefly  suataarise  the  results  of  the  reUabiltty  evalua- 
tion, it  hiis  been  detcmiiwd  that  there  is  an  average  probability  of 
,18  of  Uavitig  one  failure  (leading  to  tw  product  from  both  tank  Fams) 
occurring  during  ^ days  of  op'eration  assuming  no  laaintenaute  ia  por- 
foraed  during  this  titae  period. 


Tlic  reliability  portion  of  the  logic  c*odcl  was  eoiksttucted 
based  on  the  presently  conceived  design  and  operation  of  the  facility. 
Utili«.ing  available  cofaponent  failure  rate  data,  as  reported  in  FAKAHA 
and  operator  error  data  (from  Hercules*  operational  files),  the  * 

probability  of  a critical  systco  failure  occurrisig  was  obtained  through 
simulation  of  the  logic  model.  A critical  failure  in  this  analysis  has 
been  defineu  as  oimi  which,  if  it  were  to  occur,  would  result  in  no 
product  available  grots  both  tl«j  C-3  and  C-7  Tank  F»t»s.  Table  IV-B 
presents  a brief  staamary  of  the  Reliability  Analysis. 
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The  three- inch  transfer  line  contributes  alisost  50X  to  the 
overall  .18  failure  probability.  A failure  in  any  one  of  the  ten 
heating  units  in  the  three- inch  line  could  ultimately  result  in  the 
shutdown  of  both  Tank  Farms  since  excessive  or  insufficient  heating 
could  cause  a secondary  pipe  failure  (corrosion)  or  blocl.age  (product 
freezing),  respectively. 


The  components  in  the  facility  which  have  the  highest  reported 
failure  rates  are  automatic  control  valves  and  pumps.  Since  parallel 
or  auxiliary  pumps  are  present  throughout  the  facility,  two  or  more 
failures  would  have  to  coexist  before  a critical  condition  would  result. 
This  is  also  true  of  the  level  control  valves  in  the  two  Tank  Farms: 
at  least  one  valve  in  each  Tank  Farm  must  opera re  improperly  before  a 
shutdown  of  both  farms  would  result.  However,  a single  (open)  failure 
of  the  temperature  control  valve  (TCV)  at  either  the  lieet  excltanger  of 
the  auxiliary  heater  (20  ft  storage  tank)  could  necessitate  a shutdown, 
if  no  maixual  valve  were  present  in  the  steam  lines  feeding  these  TCV's. 


Many  of  the  electronic  sensors,  controllers,  etc.  utilised  in 
the  facility  are  critical  to  the  operation  of  the  facility  in  the  sense 
that  a single  failure  could  lead  to  a shutdown  of  both  Tank  Farms. 
Examples  of  this  situation  are  the  electrical  components  present  in  the 
heating  units  of  the  ttirce-inch  transfer  line,  as  mentiotveu  earlier. 

Table  |V-B 

Process  Bisk  Summary  > Reliability  Evaluation 

Average  Probability  of 
Failure  Duri(^  ^ Days 


Suhsys  tew  t>pcr.atioo 

Both  Ta«tk  Pams  .0198 

3'*  Transfer  Line  .0836 

Kew  Pump  iUKisQ  .02^6 

20*  Storage  Tank  .0268 

Exist  i>^  Pump  iieuse  .0255 

Overall  Average  .1835 


Probability  of  Failure 


Operator  errors  will  also  have  a significant  influence  on  the 
overall  reliability  of  the  transfer  system.  Such  errors  include: 
failure  to  open  or  close  valves  as  required,  improper  adjuststent  of 
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pumps,  failure  to  notice  warning  lights/alarms  or  to  take  subsequent 
corrective  action,  failure  to  follow  prescribed  cleanup  or  naintenance 
procedures,  etc.  The  deleterious  influences  which  operator  errors  will 
have  on  the  system  reliability  can  be  minimized  through  proper  training 
and  supervision.  With  respect  to  increasing  system  reliability  by 
reducing  mechanical  or  electrical  conqjouent  failures,  several  preventive 
actio^  are  available;  e.g.,  component  redundancy,  design  or  procedural 
modifications,  availability  of  spares,  etc.  These  options  will  be  dis- 
cussed in  a later  section  of  this  report  (Section  V). 


Presented  in  the  following  section  is  a detailed  discussion  of 
the  fire/explosion  and  reliability  evaluation  performed  in  the  Risk 
Analysis. 


C*  FIRB/EXPIQSIQN  EVALUATIOW 


In  this  analysis,  the  probability  of  a fire  or  explosion  occurring 
during  the  nort^l  and  abnonnal  operation  of  the  AK/NA  storage  and 
transfer  facility  was  determined,  in  this  tsanner,  the  risks  associated 
with  Che  operation  of  the  facility  can  be  evaluated.  Should  this  risk 
level  be  found  unacceptable,  possible  corrective  action,  such  as  modi- 
fylng  procedures,  redesigning  equipment,  iiKrcesing  preventive 
oaintenanee,  etc.,  can  be  evaluated  in  a cose  tradeoff  study  (Section  V) . 


Ttie  procedure  ewploytsd  in  determining  fire  ai«l  explosion  probabil- 
ities is  presented  below,  followed  by  a discussion  of  the  results  for 
each  of  ttw  subsystems  coctprislng  tins  facility. 


1.  ProhahlHstlc  Approach 
a.  incident  FrobabUity 

An  incident  in  this  analysis  is  defined  as  the  occurrem^e 
of  an  Initiation  which  is  sustained  into  a fire,  resulting  in  loss  of 
product  and/or  personnel  injury.  The  ptolwbiUty  of  an  inetdent  at  a 
particular  point  in  the  facility  can  be  calculated  by  first  Identifying 
tlv9  separate  events  which  ere  necessary  to  cause  tins  incident  (via  the 
logic  model),  and  then  determinitig  tl»  probability  of  each  of  the  events 
existing  a?,  the  same  time,  in  equation  form,  she  probability  of  a 
single  incident  (e.g.,  fire  in  ta«lt>  can  be  expressed  as; 

where:  Pp  probability  of  the  incident  (fire) 

• probabilitv  of  the  initiating  event  occurring 
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Cp  probability  of  combustible  material  present 

Ip  = probability  of  initiation 

Fp  = probability  of  the  initiation  being  sustained 
F = frequency  of  occurrence 

Bach  of  these  terms»  as  applied  to  this  evaluation,  is  dijcussed  separately 
below. 


The  term  **Pp'*  is  technically  an  expectancy  value,  as  opposed 
to  an  actual  probability,  since  frequency  (P)  is  incorporated  into  the 
above  equation.  However,  for  simplicity,  Pp  will  be  termed  a 
probability  value  throughout  this  report.  The  analysis  itself  is  not 
altered  when  this  nomenclature  Is  employed. 


1 Initiating  B’vent  (Ep) 


All  credible  events  which  may  lead  to  an  initiation  are 
identified  by  the  coKistruction  and  simulation  of  the  logic  model.  The 
probability  of  an  event  occurring  (e.g.,  impeller  impacts  pump  housing) 
will  generally  either  be  tiao-dopomlent  or  timo-iivdependent. 


Tiee-dependent  events  consist  of  compoixenc  failures  and  the 
probabilities  of  these  events  occerriiig  are  based  on  the  failure  rates 
of  the  particular  components.  A eotaponent  failure  rate,  typically 
expressed  In  terms  of  failures  per  million  operating  hours,  is  signifi-* 
cantly  Influenced  by  the  actual  envtrotvaent  in  whlcl»  the  component  must 
operate.  Acceptable  failure  rate  data  may  be  found  in  such  data  banks 
as  FAKAflA^**'  or  nonelectric  failure  race  published  by  ROHB  Air  Develop- 
ment center. Tlwj  data  from  these  sources  have  been  tabulated  from 
actual  operating  records.  However,  the  actual  failure  rates  of 
components  present  it  a given  system  will  «voc  necessarily  be  the  same, 
due  to  differences  in  operating  enviionaonts . 


Time- Independent  events  can  generally  be  classified  as 
either  tltose  which  occur  normally  during  an  operation  (probability 
equal  to  one)  or  those  which  occur  at  a result  of  human  error  during 
the  operation  (probability  equal  to  lO"*^) . Tliis  10*^  value  for  the 
probab'.licy  of  huatan  error,  derived  from  Hercules'  c,  ''rational  records, 
meane  that  out  of  every  1,D00  operatiotts  wiiich  the  opc.^tor  performs, 
an  average  of  one  error  can  be  expected. 
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The  above  discussion  of  event  probability  (both  time- 
dependent  and  time- independent)  applies  equally  well  to  both  the 
fire/explosion  analysis  and  the  system  reliability  prediction. 

2  Combustible  Material 


This  is  the  probability  that  combustible  material  will  be 
present  in  the  area  when  the  initiating  event  occurs.  There  are  a 
variety  of  modes  by  which  combustible  material  could  be  present  in  the 
area  of  the  process  under  evaluation.  These  can  be  generally  divided 
into  three  cases:  (1)  normally  present  (probability  equals  one), 

(2)  present  due  to  operator  error  (time- independent,  probability 
equals  10~^),  or  (3)  present  due  to  component(s)  failure  (time- 
dependent,  probability  based  on  component(s)  failure  rate).  Examples 
of  the  three  cases  above  are,  respectively;  AN/NA  material  in  pump 
during  normal  processing,  contamination  of  the  area  during  cleanup, 
and  contamination  of  valve  stem  due  to  seal  failure.  In  some  cases, 
the  occurrence  of  both  a component  and  operator  fault  is  required  in 
order  for  combustible  material  to  be  present.  In  addition,  there  are 
instances  where  the  particular  fault  causing  the  initiating  event  to 
occur  is  also  responsible  for  the  presence  of  combustible  material 
(i.e.,  common  cause  failure).  In  these  cases,  the  probabil itj-  of  the 
combustible  material  being  present  is  taken  to  be  one,  given  that  the 
initiating  event  has  occurred. 


3  Initiation  (Ip) 


This  is  the  probability  that  an  initiation  will  result, 
given  the  occurrence  of  the  initiating  event  (e.g.,  impeller  strikes 
housing)  and  the  presence  of  combustible  material.  An  initiation  is 
used  in  this  analysis  to  mean  a decomposition  reaction  detected  by  the 
use  of  an  infrared  detector  (**LIRA'')  during  material  response  testing. 
The  probability  of  an  initiation  occurring  is  determined  by  comparing 
in-process  potentials  to  material  responce  data  expressed  in  probabil- 
istic form.  This  is  accomplished  by  the  utilization  of  the  probit 
technique  which  has  already  been  described  in  Section  II.  In  cases 
where  in-process  energies  are  greater  than  the  TIL  energy,  an 
initiation  probability  of  1.0  is  conservatively  assumed. 


4  Initiation  Sustainment  (Fp) 

This  is  the  probability  that  a sustained  burning  (fire)  will 
result,  given  an  initiation.  This  probability  is  based  on  supplemertary 
material  response  testing  detailed  in  Section  II.  For  the  AN  and  AN/NA 
materials,  a sustainment  probability  of  1 x 10”^  is  employed. 
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2 Frgqu*sncy  of  Occurrence  (F) 


The  frequency  factor  takes  into  account  the  number  of 
times  the  potential  initiation  event  occurs  during  the  90-day  opera- 
tional time,  period.  In  situations  involving  continuously  occurring 
event.'n  (e.g.,  rotation  of  agitators  or  pumps)  the  frequency  factor  is 
defined  at  1.0  whereas  in  cases  involving  discrete  operations  or 
cycles  (e.g.,  closing  valve,  etc.),  then  the  factor  is  computed  from 
the  number  of  times  the  potential  initiating  event  occurs  during  the 
90-day  operating  period.  In  this  regard,  frequency  values  in  this 
analysis  have  been  based  on  the  facility  being  started  up,  operated 
for  90  days,  then  shut  down  to  perform  the  cleanup  and  maintenance 
procedures. 

b.  Catastrophe  Probability  (Peat) 


Once  the  probability  of  a fire  resulting  from  a particular 
operation  in  the  process  has  been  calculated  (Pp),  the  probability  of 
a catastrophic  event  (Peat)  occurring  from  this  fire  can  be  determined. 
In  order  to  do  so,  the  ability  of  the  combustible  material  to  transit 
to  an  explosive  reaction  must  be  known  (Rp) . A catastrophe  is  defined 
in  this  analysis  to  mean  an  explosive  reaction  occurring  in  the  facility 
which  would  lead  to  extensive  equipment  damage  and/or  severe  personnel 
injury.  The  probability  of  a catastrophe  occurring  at  some  location 
in  the  process  is  calculated  by  multiplying  the  incident  probability  and 
the  explosion  potential  together:  Peat  “ 


The  explosion  potential  has  been  concluded  in  this  analysis 
to  be  nearly  zero  (5  10“^)  in  cases  where  normal  process  materials  are 
exposed  to  a flame  stimuli.  This  conclusion  is  based  on  transition 
test  data  which  have  been  summarized  in  Section  II.  This  is  not  to 
say,  however,  that  the  generation  of  explosive  pressures  in  the  facility 
is  an  absolute  impossibility. 


For  instance,  should  the  AN/NA  material  be  exposed  to 
elevated  temperatures,  explosive  pressures  could  build  up  if  the  vapori- 
zation rate  exceeded  the  vent  capabilities  of  the  component  (e.g.,  tank) 
under  consideration.  Similarly,  exposure  of  solid  AN  to  elevated 
temperatures  (resulting  in  decomposition)  could  result  in  a rupture  if 
the  decomposition  gases  generated  were  not  adequately  vented.  In  this 
latter  example,  there  is  considerable  evidence  that  the  rate  of  AN 
decomposition  increases  with  pressure  as  well  as  with  temperature . (^0, 14) 
Thus,  the  rate  of  decomposition  will  accelerate  as  pressure  from  the 
inadequately  vented  gases  builds  up. 


Using  the  equations  and  definitions  summarized  above,  the 
probability  of  a fire  or  explosion  occurring  in  the  facility  during 
normal  and  abnormal  operations  has  been  calculated.  A discussion  of 
the  results  is  presented  below. 
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2.  Fire/Explosion  Results 

a.  Tank  Farms  (C-3  and  C-7) 

The  C-3  and  C-7  Tank  Farms  consist  of  a total  of  six  steam 
heated  tanks,  each  having  three  valves;  block,  level  control,  and 
pressure  relief.  The  analysis  indicates  that  there  is  an  overall 
probability  of  1.2  x 10“^  of  a catastrophic  event  (explosion)  occurring 
at  the  Tank  Farms  during  a 90-day  operating  period.  Essentially  lOOX  of 
this  value  is  associated  with  the  buildup  of  potentially  explosive 
pressures  in  a tank(s)  due  to  a critically  high  product  temperature 
(nitric  acid  vaporization).  This  would  require;  (1)  failure  of  both 
the  steam  heating  system  and  pressure  relief  valve  of  the  tank,  and 
(2)  the  abnormally  high  temperature  (or  pressure)  to  go  undetected. 


The  overall  probability  of  a fire  originating  at  the  Tank 
Farms  has  been  determined  to  be  8.3  x 10"®.  Most  of  this  probability 
is  associated  with  the  disassembly/assembly  of  process  valves  during 
cleanup  or  maintenance  operations.  The  normal  or  abnormal  operation  of 
the  valves,  in  general,  were  found  to  contribute  only  marginally  to  the 
overall  incident  probability.  This  is  attributed  to  the  relatively 
.small  in-process  potentials  which  will  be  available.  In  the  analysis, 
it  was  assumed  that  each  valve  would  be  cycled  once  each  day  and  would 
be  disassembled  once  every  90  days. 


The  steam  tracing  operations  contribute  about  10%  to  the 
overall  8.3  x 10"®  fire  probability.  The  probability  of  a high  tempera 
ture  occurring  in  one  of  the  steam  traced  lines  is  about  6,9  x 10"® 
(initiation  probability)  although  a thermal  initiation  is  unlikely  to 
be  sustained  into  a fire,  unless  organic  contaminants  are  present  in 
the  process  material. 


A summary  of  the  fire/explosion  probability  analysis  per- 
formed on  the  Tank  Farms  is  presented  in  Table  IV-C.  Tables  IV-D 
through  -G  sumirarize  the  individual  analyses  performed  on  the  block 
valve  (DURCO  plug  of  Jamesbury  ball),  level  control  valve  (split  body 
globe),  and  pressure  valve  present  at  each  tank. 


Table  IV-C 

Fire/Explosion  Probability  Summary 
for  Tank  Farms  C-3  and  C-7 


Equipment 
Block  Valves  ($) 
Globe  Valves  (6) 


Incident  (Fire) 
Probability 


5.7  X 10' 


•8 


3.5  X 10-5 


Catastrophe 

(Explosion) 

Probability 

5.7  X 10-1^ 

3.5  X 10“^^ 
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Table  IV-C  (Continued) 


Fire/Explosion  Probability  Sunnnary 
for  Tank  Farms  C-3  and  C-7 


Equipment 

Incident  (Fire) 
Probability 

Catastrophe 

(Explosion) 

Probability 

Relief  Valves  (6) 

3.0  X 10"^ 

3.0  X 10-15 

Steam  Tracing 

6.9  X 10"5 

6.9  X 

Tank  Heater  (6) 

1.2  X 10"® 

1.2  X 10"® 

Total  8.3  X 10"® 

1.2  X 10-8 

b.  Transfer  Line  (Impedance  Heated) 

The  3”  transfer  line  feeding  into  the  C-3  and  C-7  Tank 
Farms  will  be  electrically  (impedance)  heated  using  ten  individual 
heating  units  (thermostat,  transformer,  etc.).  The  analysis  indi- 
cates that  there  is  a relatively  low  probability  of  8.3  x 10'^®  of  an 
incident  (fire)  occurring  at  the  transfer  line  during  a 90-day  operat- 
ing period. 


The  design  of  the  transfer  line  is  such  that  in  order 
for  a sufficient  thermal  initiation  stimulus  to  be  available,  failures 
in  both  the  heating  system  and  temperature  monitoring  system  would 
have  to  coexist.  The  probability  of  such  a condition  occurring  has 
been  determined  to  be  quite  low  (8.3  x 10”^)  due  principally  to  the 
independent  operation  of  the  two  systems.  Given  an  initiation,  It  is 
unlikely  that  a burning  reaction  would  be  sustained  or  that  the 
resultant  fire  would  transit  into  explosion,  as  discussed  earlier. 


Another  potential  initiation  mode  is  electrostatic  dis- 
charge from  a shorted  heating  wire.  The  overall  probability  of  an 
initiation  occurring  via  this  mode  has  been  determined  to  be  1 x 10“^, 
which  corresponds  to  an  incident  probability  of  I x 10“^^. 


Should  an  electrical  short  or  ground  failure  occur  during 
transfer  operations,  exposure  of  the  process  materials  to  the  BSD 
stimulu  would  not  occur,  unless  a pipe  failure  (rupture)  also  existed. 
Stmi'Icanoous  failures  of  this  nature  would  moat  likely  be  caused  by 
vehicular  accidents,  falling  trees,  which  result  in  severe  line  damage. 
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During  cleanup  operations,  accidental  spillage  of  the 
corrosive  process  materials  upon  heating  wire  circuitry  could  result 
in  insulation  failure  and  potential  exposure  of  materials  to  ESD. 
However,  current  would  not  normally  be  on  during  cleanup  and,  as  such, 
an  ESD  stimulus  would  not  be  available.  Failure  to  clean  up  spilled 
materials  prior  to  line  startup  could  result  in  initiation  in  shorted 
areas,  Bnployment  of  a protective  covering  over  exposed  equipment 
during  cleanup  operations  is  recommended  as  a simple  means  of  reducing 
the  likelihood  of  an  incident  occurring  as  a result  of  corrosion  damage 
during  poor  cleanup  procedures.  These  failure  modes  do  not  contribute 
significantly  to  the  overall  8.3  x 10“^®  incident  probability  associated 
with  the  transfer  line. 


c . Pump  Houses 

An  overall  probability  of  an  explosion  occurring  during  the 
90-day  operation  of  the  new  pump  house  (three  pumps)  has  been  deter- 
mined to  be  6 X 10"12^  fQjr  the  existing  pump  house  (two  pumps)  it 
is  4 X 10“^^.  Operation  of  the  process  pumps  were  found  to  be  the  only 
significant  contributors  to  these  probability  values. 


As  outlined  in  Section  HI,  initiation  (decomposition) 
will  normally  occur  in  the  mechanical  seals  of  the  process  pumps  (Milfley 
or  Durco  snodels).  However,  initiation  of  process  materials  in  this  area 
will  not  readily  be  sustained  Into  a fire  and  a transition  of  this  fire 
into  an  explosion  would  require  an  abnormal  condition  (organic  contaminant 
of  process  materials)  to  exist.  H»cse  two  factors  together  result  in 
the  relatively  low  overall  explosion  probability  quoted  above. 


Because  initiation  will  normally  occur  in  the  pump  seals,' 
abnormal  pu»{»  operations  ('Hmpeller  strikes  housi»\g,*’  etc.)  or  valve 
operations  do  not  contribute  significantly  to  either  the  fire  or  explo- 
sion luisard  probabilitlos . No  significant  dif£ere«ice,  in  terms  of 
Incident  probabilities,  was  fout^d  between  the  operation  of  t)>c  Ullfley 
model  Ourco  "Sealoatic**  model  pumps. 


The  ttatards  evaluation  performed  on  tttc  operation  of  the 
process  pumps  is  summarised  in  Table  IV-H. 


The  introduction  of  organic  material  into  the  process  flow 
can  significantly  increase  the  ability  of  the  process  material  to  sustain 
an  Initiation  Into  a fire  and  support  a transition  to  explosion. 

Operator  error  during  the  malntcnatvcc  of  the  process  pumps  represents 
the  most  probable  laode  by  which  oil,  grease,  etc.  could  accidentally  be 
introduced  into  the  system.  Ulicn  writing  cleanup  and  maintetumee  pro- 
cedures, particular  emphasis  should  be  placcsd  upon  the  avoidance  of  such 
errors . 
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d-  New  Storage  Tank  (with  Heat  Exchanger) 

Process  material  in  the  new  storage  tank  will  be  circulated 
through  a heat  exchanger  to  make  up  for  heat  loss  during  storage.  Kie 
operation  of  the  storage  tank/heat  exchanger  system  contributes 
essentially  100%  to  the  cverall  1.1  x 10”  explosion  probability  asso- 
ciated with  the  90-day  operation  of  the  entire  transfer  and  storage 
facility. 


A catastrophic  potential  exists  in  this  area  should 
abnormally  high  process  temperatures  be  generatt'd  iit  tijsj  beet  exchanger 
and  left  uncorrected.  Significiinc  vaporisA^tion  of  the  process  li^iuid 
(nitric  acid)  as  well  as  AN  decomposition  could  occur  under  ttuch 
abnormal  temperatures.  If  not  corrected,  explosive  pressures  could 
build  up  in  the  enclosed  storage  tank  aixi  heat  exchanger. 


The  failure  of  either  the  temperature  transmitter  (TT-3) 
at  the  storage  tank  or  the  temperature  Indicator/controller  (TIC- 3) 
which  signals  the  heat  exchanger  could  result  in  both  a critically 
high  process  temperature  and  no  corrective  action  taken.  For  example, 
failure  or  TT-3  could  result  in  a false  “low  tetaperatura’*  signal  to 
TIC-3  which,  in  turn,  sends  a '*heat“  signal  to  the  heat  exeiianger. 

The  operator,  observing  the  temperature  on  TIC-3,  woold  be  unaware  of 
the  critically  high  process  temperature.  Assuming  product  was  flowing 
through  the  impedance-heated  transfer  line  (i.e.,  Tank  Pams  not  full), 
the  abnormal  product  temperature  could  potentially  be  detected  by  an 
operator  on  ttw  lii\e*s  temperature  Indicator.  However,  shutdown  of  tlw 
heat  cxchat\gcr  would  certainly  not  be  an  automatic  decision  atuJ  could 
well  be  delayed  while  the  transfer  liiw  is  examined.  SiaiUriy,  if  the 
tank  Farms  were  full  (no  product  flowing  through  the  ttahsfer  line),  the 
abnormal  temperature  in  the  »msw  storage  tank/iieat  exchanger  would  not 
be  discovered. 


The  probability  of  explosive  pressures  builditxg  »p  in  this 
area  can  be  reduced  by  several  orders  of  magnitude  by  monitoring  the 
t«s4»eracure  of  the  product  immediately  downstn>aa  of  the  tveat  exchanger. 
The  temperature  Indicator  (separate  from  TIC-3)  could  be  installed  on 
the  master  control  panel,  in  this  taanner,  failure  of  either  tT-3  or 
TIC-3  could  not,  by  itself,  set  op  a potentially  catastrophic  cotxlitlon. 
As  an  additional  safeguard,  a pressure  relief  valve  should  be  Installed 
On  the  unvented  storage  tank. 


If  sufficient  explosive  pressure  wore  allowed  to  build  up 
to  rupture  tl*e  storage  tank,  this  would  constitute  a Class  IV  haitard 
under  KUCcSt  regulation  385-22.  Severe  e<)uipBent  damage  would  result 
atxi  serious  bodily  injury  from  projectiles  would  occur  atx>uld  per- 
sonnel be  in  the  immediate  tank  area. 
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Monitoring  of  the  heat  exchanger  temperature  would  not  only 
reduce  the  overall  explosion  probability,  but  would  also  reduce  the 
likelihood  of  excessive  corrosion  or  product  blockage  (freezing)  occurring 
as  a result  of  abnormal  process  temperatures  which  go  uncorrected  (see 
Reliability  discussion). 


D.  RELIABILITy  EVALUATION 

The  objective  of  this  evaluation  is  to  determine  the  overall 
probability  of  loss  of  operation  occurring  in  the  AN/NA  transfer  system. 
Loss  of  operation  has  been  defined  in  this  analysis  as  no  product  from 
both  Tank  Perms  C-3  and  C-7  for  any  lejigth  of  time  during  a 90-day 
operating  period. 


The  results  of  the  reliability  evaluation  indicate  that  there  is 
an  average  probability  of  .18  that  at  least  one  failure  %»ill  occur 
(mechanical,  electrical,  or  human)  during  the  90-day  operation,  of  the 
transfer  system  which  will  result  in  no  product  from  both  Tank  Faros. 


The  reliability  evaluation  utilized  a system  logic  model  to  identify 
all  critical  failure  modes  which  could  lead  to  a loss  of  production. 

Once  identified,  the  prebubaity  of  these  trltJcai  failures  occurring 
were  calculated  based  on  typical  c-omponent  failure  rate  data  reported  in 
the  literature, I*** 5)  human  failure  rate  data  derived  from  Hercules* 
operational  files. 


Thu  gevwtral  results  from  this  atiaiysis,  pr^jsoated  in  Section  IV-R, 
will  not  he  summarized  here.  Instead,  in  cite  remaining  sections,  the 
probabilistic  approach  emiiloyed  in  the  analysis  will  be  discussed 
followed  by  decailcd  discussions  on  the  analysis  pc!;fofW3;i  on  the  various 
subsystems  comprising  the  transfer  systeo.  The  reUabiUty  section  uiU 
be  followed  by  a discussion  on  hr'w  to  best  it«creasu  overall  system 
reliability  (Section  V). 


1.  Prehablllstic  Approach 

As  outlined  earlier,  the  constntetion  and  substHj^ient  siaultation 
of  the  logic  model  results  in  the  identification  of  all  failure  modes 
(single  faults  or  in  coetbit\atioa)  which  are  critical  to  the  operation  of 
the  facility  in  tlw  sense  that  should  any  one  of  them  occur,  a loss  in 
production  operation  would  result.  Included  in  these  faults  arc  equlpaenc 
malfunction  and  human  error.  Once  a Gritical  failure  mode  has  been 
identified,  it  is  necessary  to  detemine  tl«*  llkelihccd  or  probability 
of  that  particular  failure  occurrinp.  3y  suatoing  all  of  the  separate 
probabilities  together,  the  overall  probability  for  loss  of  production 
can  be  obtai^wd.  this  suasaation  tccimi^ue  is  valid  only  in  cases  where 
Che  individual  failure  imode  probebiUties  arc  small  since  no  correctloa 
is  made  for  cases  where  two  or  more  critical  failure  modes  may  occur 
s iau 1 taooous 1 y . 
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TABLS  IV>I 


FAILURE  OF  BOTH  lANK  FARMS  TO  PASS  PRODUCT 


Failure  Hade 


Typical 

Failure 

Rates 


Probability  of 
Failure  After 
2160  Hours 


1.  Failure  of  component  atcaa  tracing 
(coBBOOR  cause) 


8. 

steam  pipe  failure 

1 

X 10-8 

2.2  X 10-5 

b. 

steam  header 

i 

X 10“8 

.0022 

c. 

steam  pressure  indicator 

8 

X 10-^ 

.0017 

d. 

incorrect  installation/selection, 
etc,  of  items  a,  b.  and  c 

NA 

,0030 

2*  Failure  of  TanH  Ho^xters 
(coissoa  cause) 


a.  sct-iw  pipe  failure 

1 X lO-f 

2.2  a 10 

b,  ste^  header 

1 X l0-» 

.0022 

c.  8te«8s  pressure  indicator 

8 X 10*^ 

.0017 

<1,  incorrect  iftstalUtion/selection/ 
design  of  items  a,  b,  and  c 

KA 

.0030 

e.  incorrect  installation/selection/ 
design  of  cotapotnents  in  tank 
t«»q)erature  control  system  at 
each  tank 

U 

.0030 

3,  Xnsorrect  installacSon/sGlecCion/ 
ttaiotenance  ot  componnuts  listed 
in  Table  IV-J 

KA 

.0200 

4.  Uigher  laetor  failure  aede# 

,0098 

Total  Probability:  .0396 

Average  Propabllity:  .0198 
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The  probability  of  a particular  failure  mode  occurring  can  be 
determined  by  evaluating  the  individual  fault  or  fault  combinations 
comprising  the  failure.  Fa\lt  events  can  generally  be  classified  as 
either  time  dep^. 'dent  (component  failure)  or  time  independent  (human 
error),  as  previously  discussed  in  Section  IV-B-1.  In  cases  where  the 
failure  mode  is  comprised  of  a single  fault  (i.e,,  single  point  failure), 
the  probability  of  the  failure  mode  occurring  is  the  probability  of 
the  single  fault  occurring.  In  cases  where  the  coexistence  of  two  or 
more  faults  is  required,  the  fault  probabilities  are  multiplied  together 
to  obtain  the  failure  mode  probability. 


In  cases  where  a system  is  found  to  have  numerous  single  point 
failure  modes,  higher  order  failure  modes  (i.e.,  a two  faults)  can,  in 
most  cases,  be  ignored  since  their  contribution  to  the  overall 
reliability  prediction  will  be  minimal.  This  is  not,  however,  the 
general  rule  when  evaluating  overall  f ire/explosion  probabilities  since 
it  Is  not  only  cl>e  probability  value  which  is  important,  tuit  also  the 
consequences  (severity  of  fire,  explosion). 


Presented  below  is  a discussion  of  the  reliability  evaluation 
performed  on  the  operation  of  the  AN/tiA  transfer  system.  For  simplifi- 
cation and  clarity,  the  various  facility  subsystems  are  discussed 
separately. 


2 . Rel  (.ability  Re.siulcs 

a . Tank  (C-3  and  C-7) 

Prom  the  analysis,  it  ha.s  been  determined  that  there  ts  an 
average  probability  of  .0199  that  a faihirefs)  will  occur  at  the  C-3 
and  C'7  Tank  Farm.s  during  90  days  of  continuou.'?  operation  such  that  no 
product  would  ho  .a“iilable  fr<vr  both  Farms.  Those  eomjwnent  failures 
and  operator  faults  contrii*uti*\g  most  significantly  to  this  reliability 
prediction  are  discussed  bclc»w. 


The  Tatdt  Farms  contribute  only  about  lOX  to  the  overall 
average  failure  probability  of  .18  for'  the  entire  facility.  The  rela- 
tively high  reliability  of  the  Tatd;  Farms  can  be  attributed  to  the  fact 
that  the  two  Tonk  Farms  operate  esscntislly  independently  of  one 
another.  For  both  Farms  to  be  shut  down,  .it  least  one  failure  would 
have  to  exist:  In  each  syste  i.  The  probability  of  tbi.s  octurrlirg  as  a 
result  of  primary  failures  of  meclianical  (valves,  pipes,  etc.)  or 
electrical  (level  trans^iltcers,  solenoid  valves,  etc.)  cocsportent.s  is 
estretaely  remote  (...lO***)  due  to  their  i ndc ->endcnco . However,  sccoixlary 
failure.^  of  such  components,  brought  about  by  human  error,  cannot  be 
regarded  as  independent.  Thus,  should  a level  control  valve  fail  at  one 
of  three  tanks  comprising  the  C-3  Tank  Farm  due  to  improper  ittstallation 
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TALLE  IV-J 


FAILURE  OF  A TA>«  AT  C-3  OR  C»7 


Typical  Failure 

Failure  Mode  Rates 


1. 

Tank 

1 X 10" 8 

2. 

Tank  Heating  System 

(see  Table  IV-K) 

3. 

LCV-7 

5.4  X 10“^ 

4. 

LCV-7 

5.4  X 10"^ 

5, 

Relief  valve 

2.0  X 10’^ 

6. 

EV-6 

1.8  X 10"^ 

7. 

E7-6  Coil 

1.0  X ]0“6 

8. 

LSHH*-7 

1.5  X 10“*^ 

9. 

LIC-6 

1.6  X 10"^ 

0, 

LT-6 

5 X 10’^ 

1. 

EV-7 

1.8  X 10"^ 

2. 

EV-7  Coil 

1.0  X 10“^ 

3. 

2"  Fill  line  piping 

1 X 10*® 

.4. 

2"  Fill  line  flange  gasket 

1.0  X 10"® 

.5. 

2"  Fill  line  flange  (loose) 

NA 

.6. 

LAH-6 

1.4  X 10"® 

.7. 

LAL-6 

1.4  X 10“^ 

L8. 

LSL-6 

1.5  X 10"® 

L9. 

LAHH''7 

1.4  X 10"® 

iO. 

P/1-6 

8 X 10“^ 

U, 

LI-6 

5 X 10"7 

i2. 

Steam  tracing  failure  (leading  to 
excessive  corrosion  or  product  freezing) 

(see  Table  IV-L) 

'3. 

Incorrect  installation/selectioii/design 
of  above  items 

NA 

Probability  subtotal; 

IV-21 


Probability  of 
Failure  After 
2160  Hours 

2.2  X 10“^ 

.0215 

.0117 

.0117 

.0043 

.0040 

.0022 

.0032 

.0035 

.0011 

.0040 

.0022 

2.2  X 10"^ 
.0022 
.0010 
.0030 
.0030 
.0032 
.0030 
.0017 
.0011 
.0069 

.0200 

.1151 


TABLE  IV-K 


HEATING  SYSTEM  FAILURE 

OF  A TANK  AT  C-3  or 

C-7 

Failure  Mode 

Typical  Failure 
Rates 

Probability  of 
Failure  After 
2160  Hours 

1.  Temperature  transmitter 

5 X 10“7 

.0011 

2.  Temperature  indicator/coatrolXer 

1.6  X 10"6 

,0035 

3.  Temperature  control  valve 

7.9  X 10"^ 

.0170 

4.  Steam  pipe  failure 

1 X 10'8 

2.2  X 10“3 

5.  Steam  header 

6,  Steam  pressure  indicator 

■ -1 -x  10~^ 

8 X 10"'^ 

-.007-2 

.0017 

7.  Incorrect  installation/selection/ 
design  of  above  items 

NA 

.0060 

Total  Probability: 

.0215 

TABLE  IV-L 

STEAM  TRACING  FAILURE  OF 

TANK  COMPONENTS  AT  C-3 

OR  C-7 

Failure  Mode 

Typical  Failure 
Rates 

Probability  of 
Failure  After 
2160  Hours 

1, 

Steam  pipe  failure  (freezing  only) 

1 X 10"8 

2.2  X 10”5 

2. 

Steam  header 

1 X 10“^ 

.0022 

3. 

Steam  pressure  indicator 

8 X 10“7 

.0017 

4. 

I' 'correct  installation/selection/ 
design  of  above  items 

NA 

,0030 

Total  Probability: 

.0069 
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TABLE  IV-M 


SHUTDOWN  OF 

1.  Pipe  or  support  (1000)  failure 

2.  Block  valve 

3.  Flange  gasket 

4.  Flange  (loose) 

5.  Flange  (grounded) 

Tynncfor  npprflHnno  A„a.  hf> 

abnormal  product  temperature 
indicated  in  line 

A.  TR-5 

B.  TT  (5A  through  5M) 

C.  Heating  unit  thermostat  (10) 

D.  Heating  unit  transformer  (10) 

E.  Heating  unit  wiring  (grounded) 

F.  Ground  alarm  (10) 

7.  Incorrect  installation/selection/ 
design  of  above  items 


TRANSFER  LINE 

Typical  Failure 
Rates 

Probability  of 
Failure  After 
2160  Hours 

1 X 10“® 

.0220 

2 X 10"^ 

.0043 

1 X 10"^ 

.0022 

NA 

.0010 

NA 

.0010 

1 X 10’^ 

.0022 

5 X 10”7 

.0132 

5 X 10‘7 

.0110 

2 X 10"^ 

.0430 

1 X 10"S 

.0002 

1 X 10“^ 

.0220 

NA 

.0450 

Total  Probability: 

.1671 

Average  Probability: 

.0836 
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or  maintenance,  then  it  can  be  reasonably  assumed  that  a similar  valve 
in  the  C-'/  Tank  Farm  will  fail  at  the  same  time.  Presumably  the  same 
person  will  be  involved  in  the  maintenance  of  similar  components  present 
at  each  Tank  Farm.  Thus,  the  secondary  failure  of  the  two  valves,  in 
this  case,  can  be  regarded  as  a single  point  failure;  human  error. 


In  addition  to  operator  error,  other  single  point  or  common 
cause  failures  were  identified  from  the  analysis  of  the  two  Tank  Farms. 
These  involve  the  operation  of  the  same  steam  system  supplying  the  tank 
heaters  of  both  Tank  Farms.  A failure  in  either  one  of  these  systems, 
such  as  a primary  or  secondary  failure  of  the  steam  header,  would  result 
in  a process  upset  and  the  eventual  shutdown  of  both  Tank  Farms  (abnormal 
product  temperature). 


At  the  current  design  stage  of  the  facility,  the  selection 
of  a particular  valve  model  for  utilization  as  a level  block  valve  at 
each  tank  has  not  been  made.  The  reliability  data  available  at  this 
time  on  the  two  candidate  valves  (Durco  plug  and  Jamesbury  ball)  are  not 
sufficient  to  make  a quantitative  comparison  between  the  two  candidates. 
However,  because  of  their  similarity  in  design  and  materials  of  con- 
struction, major  differences  in  reliability  would  not  be  expected. 


A summary  of  the  reliability  analysis  on  the  Tank  Parras  is 
presented  in  Table  IV-I. 


From  typical  component  failure  rate  data  and  human  error 
rates,  the  probability  of  any  one  of  the  critical  failure  modes  (leading 
to  loss  of  operation)  has  been  determined  for  90  days  of  operation.  The 
sum  of  these  probabilities  equals  tlie  overall  probability  of  failure 
during  the  time  period  under  evaluation.  For  the  Tank  Farms,  the 
probability  sum  is  .0396,  as  noted  in  Table  IV-I.  This  means  that  there 
is  a probability  of  .0396  of  having  at  least  one  critical  failure  occur 
during  a 2160-hour  (90  days)  operating  period.  Initially,  the  overall 
failure  probability  will  be  nearly  zero  and,  as  time  passes,  will 
steadily  increase  to  .0396  after  2160  hours.  Half  of  the  time,  the 
failure  probability  will  be  less  than  .0198  whereas,  for  the  other  half 
of  the  time,  it  will  be  greater  than  .0198.  Thus,  the  best  estimate 
of  the  probability  becomes  the  average,  or  .0198.  This  technique  for 
calculating  the  average  probability  of  failure  is  employed  throughout 
the  reliability  evaluation. 


As  a supplementary  analysis  of  the  reliability  of  the  Tank 
Farms,  tha  probability  of  a failure  occurring  which  would  result  in  one 
of  the  six  tanks  b_ing  inoperative  was  also  determined.  The  results  of 
the  analysis,  although  not  applicable  to  the  overall  reliability 
analysis,  can  i,erve  as  a troublt  shooting  guide  by  pointiiig  out  those 
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failures  which  are  more  likely  to  occur.  The  results  of  the  analysis 
are  summarized  in  Tables  TV-J,  -K,  and  -L.  Not  surprisingly,  the  .115 
average  probability  of  failure  results  primarily  from  single  point 
failures  of  electrical  and  mechanical  components. 


b.  Three- inch  Transfer  Line 


From  the  analysis  it  has  been  determined  that  there  is 
an  average  probability  of  .0836  that  a failure(s)  will  occur  in  the  3" 
transfer  line  (impedance  heated)  during  90  days  of  operation  such  that 
no  product  would  be  available  to  both  Tank  Farms.  Shutdown  of  the 
transfer  line  would  result  in  no  product  being  available  from  the  Tank 
Farms  only  if  the  transfer  line  shutdown  lasted  for  an  extended  period 
of  time.  In  the  analysis,  ic  is  assumed  that  failures  leading  to  a 
trai.sfer  line  shutdown  would  necessitate  an  ultimate  shutdown  of  both 
Tank  Farms.  Those  system  failures  contributing  most  significantly  to 
the  .0836  failure  probability  are  discussed  below. 


to  the  overall  average  failure  probability  of  .18  for  the  entire 
facility.  Numerous  single  point  frilures  could  caus?  the  3'*  transfer 
line  to  be  shut  down.  Most  of  these  are  avssociated  with  the  improper 
operation  of  any  one  of  the  electrical  components  which  are  present  in 
each  of  the  ten  individual  impedance  heating  units  (thermostat,  trans- 
former, ground  alarm,  etc.)  and  those  which  are  employed  in  process 
monitoring  (temperature  transmitters  and  recorder).  In  the  analysis 
it  is  assumed  that  the  transfer  line  would  normally  be  shut  down  if  t» 
critically  abnormal  product  temperature  were  indicated  in  the  line. 

An  abnormally  high  (>  100°P)  or  low  (<  80®P)  product  temperature  could 
ultimately  cause,  if  left  uncorrected,  a secondary  pipe  failure  (corro- 
sion) or  blockage  (product  freezing),  respectively. 


It  would  require  the  occurrence  of  at  least  one  failure 
in  both  the  hcatii^  and  monitoring  systems  to  cause  an  abnormal  product 
temperature  to  go  uncorrectod.  Since  the  two  systems  will  operate  and 
are  maintained  independently  of  one  another,  the  probability  of  two 
independent  system  failures  occurring  under  those  conditions  is  quHo 
small  (—  10"^  per  90  days). 


A sunttn.Try  of  the  reliability  analysis  performed  on  the 
transfer  lino  is  presented  in  Table  IV-H. 


c . New  Pump  House 

Prom  the  analysis  it  has  been  determined  that  there  is  an 
average  probability  of  .0278  that  a failure(s)  will  occur  in  the  new 
pump  house  during  90  days  of  operation  such  that  no  product  would  be 


available  to  the  3"  transfer  line.  Shutdown  of  the  new  pump  house  would 
ultimately  result  in  no  product  being  available  from  the  Tank  Farms  only 
if  the  pump  house  shutdown  lasted  for  an  extended  period  of  time.  In 
the  analysis,  it  is  conservatively  assumed  that  all  failures  leading  to 
a pump  house  shutdown  would  necessitate  an  ultimate  shutdown  of  both 
Tank  Farms. 


The  new  pump  house  contributes  only  about  15%  to  the  overall 
average  failure  probability  of  .18  for  the  entire  facility.  The  rela- 
tively high  reliability  can  be  attributed  to  the  fact  that  there  are 
three  pumps  (with  associated  piping)  available  for  use  in  the  new  pump 
house,  whereas  the  operation  of  only  two  of  these  are  absolutely 
necessary;  One  pump  to  recirculate  product  through  the  heat  exchanger 
and  another  pump  to  supply  product  to  the  3'*  transfer  line.  The  third 
pump  primarily  serves  as  a backup  to  the  other  two,  although  all  three 
pumps  could  be  used  together  if  required. 


Primarily  failures  of  pumps  and  valves  contribute  very  little 
to  the  failure  probability  of  the  new  pump  house  operation.  At  least 

before 


the  pump  house  is  shut  down.  A single  failure,  which  could  cause  all 
three  pumps  to  be  shut  down,  is  more  probable  than  the  simultaneous 
occurrence  of  independent  failures  in  two  or  more  of  the  pumping  circuits. 


For  example,  failure  of  the  building  heater  to  supply 
sufficient  heat  is  a much  more  likely  cause  for  the  pump  house  being 
shut  down  than  Che  primary  failure  of  two  pumps.  Insufficient  heating 
could  be  caused  by  any  one  of  severol  single  component  failures  (e.g., 
thermostat,  steam  control  valve,  etc.)  and  would  most  likely  iwt  be 
noticed  before  the  product  freezes  in  the  pipes.  The  average  probability 
of  a critical  failure  occurring  in  the  building  heater  has  been  deter- 
mined to  be  about  .016  for  90  days  of  operation,  or  about  60%  of  the 
pump  iiousc  failure  probability.  In  the  analysis,  it  Is  assumed  that  a 
heater  failure  will  always  result  in  blockage.  If  the  failure  were 
caught  before  significant  freezing  in  the  product  line  had  occurred,  a 
shutdown  could  bo  avoided.  Discussions  with  Hols  ton  personnel  on  the 
existing  pump  house  indicate  that  failure  of  the  build! i;g  heater  would 
not  necessarily  result  in  blockage  via  freezing  due  to;  (1)  the  brief 
time  the  product  would  be  in  the  pump  house  and  (2)  secondary  heating 
occurring  from  the  operation  of  pumps. 


Other  single  point  failures  identified  as  potential  causes 
for  the  shutdown  of  the  pump  house  include:  pipe  failure,  valve  leaks, 

or  human  error  in  adjustlng/nmlntainlng  pumps,  valves,  etc.  A pipe 
failure  or  leaking  valve  would  likely  result  In  an  extensive  spill, 
since  the  operations  in  the  pump  house  are  only  infrequently  checked  by 
an  operator.  A secondary  failure  of  all  three  pumps,  for  example,  could 
be  caused  by  a single  system  fault:  operator  error  in  adjusting  pumps. 
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Similar  considerations  apply  to  the  maintenance  and  adjustment  of  the 
manual  valves  in  the  pump  house. 


A summary  of  the  reliability  analysis  performed  on  the 
transfer  line  is  presented  in  Table  IV-N. 


At  the  current  design  stage  of  the  facility,  the  selection 
of  a particular  pump  model  for  use  in  the  new  pump  house  has  not  been 
made.  Sufficient  failure  rate  data  are  not  available  on  the  two 
candidate  pumps  (Durco  •'sealmatic'*  and  Wilfley  ••AF*’)  at  this  time  to 
make  a quantitative  comparison  between  the  two.  Since  similar  materials 
of  construction  will  be  employed  for  each  pump,  failure  via  corrosion 
should  not  be  significantly  different  between  the  two  pumps.  The 
primary  difference  in  the  design  of  the  two  pumps  is  in  the  mecltanism 
by  which  the  mechanical  pump  seals  are  release  during  pumping.  The 
Wilfley  mechanism  (mechanical  governor)  is  expected  to  be  slightly  more 
reliable  than  the  Qurco  mechanism  (pressure  via  solenoid  interlock) . 
However,  as  discussed  earlier,  primary  failures  of  these  pumps  will  not 
be  as  important  as,  for  example,  secondary  pump  failures  (incorrect 
adjustment,  .)  or  failure  of  the  building  heater,  ^is  latter  failure 
would  be  most  critical,  with  respect  to  product  freVzingrdurtng^ertDds  ' 
when  the  pumps  feeding  the  transfer  line  are  temporarily  shut  down  as  a 
result  of  some  other  system  failure. 


d.  Storage  Tank  and  Heat  Exchanger 

Prom  the  attalysis,  it  has  been  determined  that  there  is 
on  average  probability  of  .0268  that  a failurc(s)  will  occur  in  the 
new  storage  tank  or  heat  exchanger  during  90  days  of  operation  such 
that  the  new  pump  house  would  have  to  bo  shut  dowtt.  Snutdown  of  the 
new  pump  house  would  result  in  no  product  being  available  from  the  Tank 
Farms  only  if  the  fallure(s)  causing  the  shutdown  requires  an  extended 
repair  time.  In  tlwj  analysis,  it  is  conservatively  assumed  that  all 
failures  leading  to  a pump  house  shutdown  would  necessitate  an  ultimate 
shutdown  of  both  Tank  Farms.  Conditions  under  which  a pump  house  shut- 
down would  be  necessary  consist  of:  (1)  high  product  level  lixiicated, 

(2)  tank  or  pipe  failure  (including  excessive  corrosion),  and  (3)  block- 
age due  to  freezing.  An  indication  of  an  abnormally  high  or  low 
temperature  in  the  tank  would  not  automatically  result  in  a shutdown. 


The  new  storage  tank  and  heat  excl^angor  contribute  less 
than  20%  to  the  overall  average  failure  probability  of  .18  for  the 
entire  facility.  Although  a failure  of  any  one  component  present  In 
the  level  control  system  Interlocked  with  existing  pump  house  could 
cause  a shutdown  of  the  storage  taidt,  the  .0268  probability  value  is 
mostly  associated  with  abnormal  heating  operations  (bayonet  heater, 
heat  exchanger,  or  steam  tracing)  resulting  in  product  freezing  or 
corrosive  failure. 
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TABLE  IV'N 


FAILURE  OF  NEW  PUMP  HOUSE  TO  TRANSFER  PRODUCT 


Typical  Failure 
Rates 

Probability  of 
Failure  After 
2160  Hours 

1,  Pipe  failure  (10) 

1 X 10"® 

.0002 

2.  Manual  valves  (leaking) 

1 X 10“6 

.0132 

3.  Incorrect  installation/selection/ 
design  of  pipes  or  valves 

NA 

.0070 

4.  Improper  adjustment /maintenance 
of  transfer  pumps 

NA 

.0030 

'3,‘  Building  heater  failure  (product 
freezes  or  excessive  corrosion) 

A. 

Unit  heater 

1 X 10"® 

2.2  X 10"® 

B. 

Steam  control  valve 

7.9  X 10"® 

.0170 

C. 

Thermostat 

5 X 10"^ 

.0110 

D. 

Steam  pipe  failure 

1 X 10*® 

2.2  X 10"® 

E. 

Incorrect  installation/selection/ 
design  of  heater  components 

NA 

.0040 

6.  Higher  factor  failure  modes 

-- 

.0004 

Total  Probability: 

.0556 

Average  Propability: 

.0278 

k 
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A failure  in  the  heat  exchanger  (insufficient  heating) 
would  ultimately  result  in  the  process  materials  freezing  if  the  backup 
bayonet  heater  were  either  not  turned  on  (manually)  or  failed  to 
deliver  sufficient  heat  when  turned  on.  A failure  of  either  the 
temperature  transmitter  (TT-3)  or  temperature  indicator  (TIC- 3)  to 
operate  properly  could  result  in  both  the  heat  exchanger  delivering 
insufficient  heat  and  the  operator  being  unaware  of  the  low  product 
temperature.  Under  these  conditions,  the  bayonet  heater  would  not 
be  turned  on  by  the  operator  and  the  product  would  eventually  freeze. 
Thus,  it  is  recommended  that  a separate  temperature  transmitter  and 
indicator  be  utilized  in  the  operation  of  the  bayonet  heater.  This 
could  be  the  same  equipment  employed  in  the  monitoring  of  the  heat 
exchanger  operation  discussed  below. 


Other  single  point  failures  which  could  cause  product 
freezing  are  associated  with  the  common  steam  supply  system  feeding 
both  the  heat  exchanger  and  back-up  bayonet  heater.  Failure  of  the 
steam  header,  pressure  Indicator,  or  pipes  would  fall  under  this 
category. 


Several  two  factor  failure  modes  were  Identified  as  possible 
causes  of  product  freezing,  altlx)ugh  these  were  found  to  be  relatively 
insignificant  contributors  to  the  overall  failure  probability.  An 
example  of  such  a failure  mode  is  a primary  failure  of  the  temperature 
control  valve  at  the  heat  exchanger  and  failure  of  the  operator  to 
notice  the  low  temperature  readlixg  on  TIC- 3. 


With  respect  to  potential  overheating  problems,  it  has 
been  Q'^sumed  in  the  analysis  that  should  an  nbtwrmally  high  product 
temperature  be  indicated  In  the  storage  tank,  the  new  pump  house  would 
not  be  shut  down.  This  would  depend  largely  upon  the  extent  of  repairs 
required  to  correct  the  Indicated  high  temperature.  The  siixglc  Diost 
likely  cause  of  a high  product  temporaturo  is  failure  of  the  temi>craturc 
control  valve  (tCV-3)  at  the  heat  exchanger,  although  other  single  point 
failures  were  identified.  Should  the  operator  be  unaware  of  the  high 
product  temperature,  thus  allowing  the  problem  to  go  uncorrected,  a 
secondary  failure  of  the  tank  or  pipes  would  ultimately  occur  due  to 
excessive  corrosion.  This  condition  is  included  in  the  reliability 
analysis  of  the  storage  tank  operation  sitwe  it  would  necessitate  the 
new  pump  house  to  be  shut  down. 


Corrosive  failure  resulting  from  an  abttormally  high  product 
temperature  which  goes  undetected  by  tlM>  operator  would  require,  In  most 
cases,  a failure  in  both  the  heating  system  and  temperature  monitoring 
system.  Failure  of  the  totaperaturo  transmitter  (TT-3)  or  indlcator/con- 
trollcr  (TIC-3)  could  result  in  excessive  hoatii\g  from  TCV-3  as  well  as 
causing  the  operator  to  be  unaware  of  the  high  product  temperature. 
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should  TCV-3  fail  open,  with  everything  else  operating 
normally,  the  temperature  of  the  product  in  the  storage  tank  would 
only  gradually  increase  (as  measured  by  TT-3)  whereas  the  temperature 
in  the  output  line  coming  from  the  heat  exchanger  would  be  at  a 
critically  high  level.  Under  these  conditions,  excessive  corrosion  of 
the  line  would  occur  although  pipe  failure  would  not  be  expected  unless 
the  high  product  temperature  existed  for  an  extended  period  of  time 
(>  1 day).  Thus,  a failure  in  the  temperature  monitoring  system  (TT-3, 
TIC-5,  operator  error)  would  be  required  before  seriously  abnormal 
corrosion  would  occur. 


A summary  of  the  reliability  analysis  performed  on  the 
storage  tank  and  heat  exchanger  is  presented  in  Table  IV-0. 


Since  there  is  presently  no  monitor  on  the  temperature  of 
product  coming  out  of  the  heat  exchanger,  excessive  corrosion  (high 
product  temperature)  of  the  heat  exchanger  and  downstream  piping  would 
go  uncorrected  if  the  temperature  of  the  bulk  material  in  the  storage 
tank  were  measured  as  being  normal.  Such  a condition  could  be  brought 
about  through  a variety  of  conditions:  improper  design,  poor  tank  or 

pipe  insulation,  lower- than-expec ted  outside  temperatures,  steam  tracing 
failure  to  supply  sufficient  Jteat,  etc.  Because  the  product  temperature 
is  such  a critical  factor  in  the  reliable  operation  of  the  facility,  it 
is  necessary  Chat  the  operation  of  the  heat  exchanger  be  closely 
monitored.  It  is  recommended  that  a temperature  transmitter  be  installed 
immediately  downstream  from  the  heat  exchanger  which  would  feed  a 
temperature  indicator  in  Buildi<xg  330.  In  this  manner,  abnormal  product 
temperatures  could  be  rapidly  detected.  In  fact,  the  temperature 
differential  between  the  storage  tatik  aiul  iieat  exchanger  could  bo 
employed  as  an  Indirect  indicator  of  a failure  In  the  steam  tracing 
system,  itveffectlvcness  of  the  tank  or  pipe  insulation,  blockage  in  the 
circulation  product  line,  or  failure  of  the  recirculation  pump  in  the 
new  pump  house.  This  recommendation  has  already  been  made  In  terms  of 
significantly  reducing  the  overall  probability  of  an  explosion  occurring 
In  the  storage  cank/heac  excitanger  area. 


Existing  Pump  House 

The  reliability  analysis  on  the  existing  pump  tuiuso  was 
similar  to  that  performed  on  the  new  pump  house  and  from  it,  an  average 
fallura  probability  of  .02SS  was  calculated  to  exist  for  90  days  of 
operation.  Shutdown  of  the  existing  pump  tiouse  would  ultimately  result 
in  no  product  being  available  from  the  Tank  Earns  only  If  the  pump  house 
shutdown  lasted  for  an  extended  period  of  time.  In  the  analysis,  it  Is 
conservatively  assumed  that  all  failures  leading  to  a pump  house  shut- 
down would  necessitate  an  ultimate  shutdown  of  the  Tank  Earns. 
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TABLE  IV-0 


FAILURE  AX  NEW  STORAGE  TANK  AND  HEAT  EXCUAHSER 


Typical  Failure 
Rates 

Probability  of 
Failure  After 
2160  Hours 

• « 

Tank  failure 

1 X 10*® 

2.2  X 10*® 

} 

♦ • 

LSH-l 

2 X 10*® 

.0043 

i. 

LSHH-2 

2 X 10*® 

.0043 

4. 

LSHH-2  probe 

1 X 10“® 

.0022 

5. 

LT-l 

5 X 10*^ 

.0011 

6, 

LI«l 

5 X 10”’ 

.0011 

7,  Product  freesoa  due  to  heat  exchanger 
failure  and  bayonet  heater  failures 
(or  not  turned  on) 

A.  TT-3 

B.  TXC-3 

C.  Stca»s  pi(»e  failure 

D.  Stoas)  header 

E.  Steass  pressure  Indicator 

F.  Higher  factor  failure  aodes 

8*  Abnormlly  high  product  tesspcrature 
causing  secondary  failure  of  cquipaent 
(excessive  corrosion) 


A.  TT-3 

5 X 10”’ 

.0011* 

8.  tlC“3 

1.6  X 10*® 

.0033* 

C.  Steaa  tracing  failure 

(see  table  IV-l) 

.0069 

D.  Higher  factor  failure  modes 

.0001 

Incorrect  instal lat ion/ se lection/ 

HA 

.0120 

design  of  above  items 

Total  Probability: 

.0536 

Average  Probability: 

.0268 

10*^ 

.0011 

10*® 

.0035  ^ 

10*® 

2.2  X 10”® 

10*® 

,0022 

10-/ 

.0017 

.0001 

* Failure  probability  already  included  in  itea  7 above. 
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As  with  the  new  pump  house,  primary  failure  of  the  pumps 
and  valves  were  found  to  contribute  very  little  to  the  failure 
probability  associated  with  the  existing  pump  house.  This  is  mainly  due 
to  the  fact  that  both  pumping  circuits  would  have  to  be  unavailable 
before  the  pump  house  would  be  shut  down.  Thus,  a single  failure,  which 
could  cause  both  pumps  to  be  shut  down,  is  more  probable  than  the 
simultaneous  occurrence  of  independent  tailures  in  both  pumps.  Due  to 
the  similarities  in  the  operation  of  the  existing  and  new  pump  houses, 
the  reader  is  directed  toward  the  discussion  of  the  new  pump  house 
operation  (Section  IV-D-2-c). 


V.  TRADE-OFF  STUDY 


Cost  trade-off  analysis  is  nornially  the  integrating  factor  for 
the  fire/explosion  and  the  reliability  analysis.  This  trade-off 
study  attempts  to  minimize  cost,  in  terms  of  the  losses  resulting 
from  catastrophic  events  and  the  losses  incurred  when  the  facility 
is  shutdown,  by  increasing  safety  or  reliability.  The  expenditures 
associated  with  these  potential  changes  are  traded  off  against  the 
costs  incurred  when  the  system  is  down  as  a result  of  failure. 


Based  on  the  proposed  design  and  operation  of  the  AN/NA  Transfer 
system,  sn  overall  explosion  probability  of  1.1  x 10*^  has  been 
determlni'^d  to  exist.  Any  reduction  in  this  relatively  low  explosion 
probability  value,  through  process  modifications,  increased  preventa- 
tive maintenance,  etc.,  would  be  more  than  offset  by  the  increased 
costs  associated  with  such  modifications.  Ttius,  any  Dx>dlfi cations 
in  process  design,  maintenance  schedules,  etc.,  would  not  be  cost 
effective  in  terms  of  reducing  losses  associated  with  a cstss- 
trof^lc  event. 


the  recocsmendatlons  put  forth  in  the  Sucomary  section  of  this 
report  consist  mostly  of  minor  procedural  ciodifications  which  if 
followed  would  significat'.ely  reduce  the  overall  probability  of  a 
catastropltie  event  occurring  in  the  facility  from  a level  UticU  is 
already  relatively  low.  Uo,  or  oisly  a marginal,  increase  in  operating 
costs  would  be  sfsociated  with  many  &i  these  rocommendatioos.  Thu  only 
major  modiflcatitm  recommended  in  the  facility  design  consists  of  tem- 
perature monitoring  of  the  product  at  the  heat  fiKchatrger,  Ti»e  equipment 
Involved  wc-uld  add  very  little  to  the  overall  cost  of  the  facility,  but 
would  significantly  reduce  the  overall  probability  ot  ;an  explosion 
occurring  in  the  facility  from  a level  wfiich  is  already  relatively  low. 
In  addition,  such  a modification  would  reduce  the  likelihood  cf 
excessive  corrosion  or  process  blockage  (product  freezing)  occurriag 
at  the  (^at  exchanger  and  storage  tank  as  a result  of  an  abnormal 
process  temperature. 


In  order  to  effectively  reduce  costs  associated  with  syst^ 
unreliability,  accurate  failure  rate  data  must  be  available  on  ''.he 
components  operating  in  the  actual  AH/KS.  transfer  syst«^  Vi » 'tst. 

this  can  b$»t  ba  obtained  by  keeping  careful  and 

records.  Frc*  these  operational  records^  re! r>ay  be  )>ncre&ae4 
via  availability  of  spares  and/or  increased  vaint%asnc>°t. 
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APPENDIX  A 


LOGIC  MODEL 
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APPENDIX  B 


EXPERIMENTAL  DISCUSSION 

Material  response  testing  for  this  program  was  conducted  in  accordance 
with  Hercules  procedures.  The  specific  details  of  each  test  procedure  have 
not  been  included  in  this  report  since  most  of  the  tests  are  fully  described 
in  the  literature. Any  specific  questions  concerning  any  of  the  tests  or 
experimental  results  discussed  previously  in  this  report  should  be  directed 
to  ABL. 

The  following  is  a brief  description  of  each  of  the  tests  used  to  ob- 
tain the  material  response  data  for  this  program: 

I,  Impact 

Impact  testing  of  process  materials  was  conducted  on  the  ABL  impact 
machine.  The  ABL  impact  machine  is  designed  to  deliver  controlled  energy 
from  a falling  weight  retained  in  guide  bars,  through  an  intermediate  ham- 
mer, to  the  test  material  resting  on  an  anvil.  The  machine  provides  a valid 
means  of  obtaining  initiation  data  by  impacting  a small  sample.  The  data 
obtained  reflect  the  effects  of  velocity,  hammer  area,  particle  size,  sample 
thickness,  materials  of  construction,  sample  temperature  and  sample  confine- 
ment. 


Initiation  is  detected  by  observing  odor,  stain,  smoke,  Mmple  scatter- 
ing, noise,  etc.  When  any  doubt  exists  concerning  initiation  detection,  the  . 


limits  of  the  operator's  judgment  are  extended  through  the  use  of  an  infra- 
red analyzer.  This  device  is  capable  of  detecting  decomposition  products, 
including  such  gases  as  CO,  CO2,  NO2  and  N2O,  between  4-5  microns  in  the 
spectra  wavelength  with  a sensitivity  limit  of  about  40  parts/million. 

2.  Friction 

Friction  testing  was  conducted  on  the  Model  I Slidix\g  Friction 
machine,  a pendulxim-drlven  device.  This  machine  is  a versatile  device  which 
is  capable  of  determining  the  initiation  response  of  explosive  materials  to 
friction  over  a wide  range  of  conditions.  The  machine  can  duplicate  almost 
any  frictional  situation  with  respect  to  frictional  force,  velocity,  slid- 
ing distance,  materials  of  construction  involved,  aivi  environment. 

3.  Electrostatic  Discharge 

The  electrostatic  discharge  test  is  designed  to  determine  the  response 
of  sensitive  materials  to  various  electrostatic  discharge  energy  levels. 

The  material  to  bo  tested  is  placed  within  a grounded  sample  container,  and 
electrostatic  energies  of  various  known  magnitudes  arc  passed  from  a point 
source  through  the  sample  until  a maximum  energy  which  will  not  result  in 
initiation  in  20  successive  trials  is  cstablisived.  Energy  sources  consist 
of  charged  capacitors  as  well  as  the  energy  delivered  by  a liuaan  spark. 

4.  Particle  laplngeoent 

This  test  is  designed  to  slaulete  pumping  of  explosive  liquids  by 
impinging  various  siced  asmples  up  to  velocities  of  40,000  fpa  onto  a 
target.  Initiation  is  detected  by  either  a Polaroid  camera  to  record 
inlciatioo  flashes  or  a force  gage. 


5»  Transition 


The  transition  test  consists  of  subjecting  explosive  materials  to  bot- 
tom flame  Initiation  from  a 12  gram  (6  gram  FFFG  and  6 gram  2056  casting 
powder)  bag  igniter.  The  explosive  is  placed  in  schedule  40  pipe»  and  pipe 
diameter  and  length  are  varied  to  obtain  a relationship  between  confinement 
diameter  and  critical  height  to  explosio  The  critical  height  is  that  level 
above  which  explosions  will  occur  as  a result  of  3 failures  at  that  level. 
Standard  container  diameters  are  1,  2 and  4 inch  pipe. 

6.  Explosive  Propagation 

This  test  is  designed  to  determine  the  mlniomm  diameter  above  which 
process  materials  will  propagate  a high  order  reaction  when  confined  In  a 
24'*  long  steel  pipe.  The  booster  material  employed  as  the  detonation  source 
is  Comp.  C-4.  Detection  method  consists  of  a lead  plate  with  Primacord,  In 
addition  to  visible  inspection. 

7.  Sustained  Rcactioo  (Fite) 

This  test  consists  of  exposing  a 1/2  Inch  thick  layer  of  material  to  an 
energetic  Ignition  source  (thermite  igniter  or  Atlas  match)  to  determine  if 
a sustained  burning  results.  The  material  is  held  in  an  8'*  long  aluminum  tray 
and  the  igniter  is  placed  inside  the  tray,  at  the  bottom  of  the  test  material. 
Visual  observation  of  the  material  after  ignition  determines  the  extent  of  the 
burning  reaction. 
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RELIABILITY  CALCUUHffilS 

The  probability  of  a ccHoponent  failing  after  a given  ttsau  interval  in 
hours  is  calculated  as  follovrs: 

Probability  of  Failure  = 1 - e - (failure  Rate)  ic  (Hours) 

*»  (Failure  Rate)  x (Hours) 

For  exaople,  if  failure  rate  is  5x10'^  and  the  ti«^  interval  is  2160  hours, 
the  probability  of  failure  is: 

Probability  of  Failure  =(l  • e)»  (5xl0”6)  x(2l60) 

» (53tl0-6)  X (2160) 

» 0,0108 

For  tvo  coaponeuta  to  fail  simultaneously: 

Probability  of  failure  ■ (l-e*^l^l)  (l'*e“^2t2) 

• (H  to  (X2t2) 

• Xj  Xj  (timo)* 

For  exateple,  if  « (3,Oli*lO"**X2  « 2>dL0’^,  t « 2160  hours 
then,  h t • (3.Q*10“6)  (2U0)  6,68*10*^ 

^2  t - <2. 0*10“^) (2160)  - 4.32'*10-3 

- (3.0>10’6)  (2ja0“6)  (2160)2 

- (6xlO’^2^  (6.76S6yl0^) 

- 2.8pl0"^ 


Xlc  X2t 


This  exaiaple  indicates  that  the  single  factor  failure  mode  gives  probabili- 
ties, of  failure  of  6.5^10*^  and  4.33U.O*^,  while  the  probability  that  tliey 
will  fail  simultaneously  is  Thus,  a single  factor  failure  mode  is 

spproKimately  100  times,  more  severe(=  10"^  vs  = 10"^  probability)  than  two 
factor  failure  modes,  or  it  requires  approximately  ICO  two  factor  failure 
nodes  to  be  equivalent  to  one  single  factor  failure  mode.  (For  a further  I 
discussion  of  mathematical  treatment  of  this  subject,  see  reference  18.^ 

This  low  contribution  of  two  factor  failure  modes  was  also  the  justi* 
fication  for  merely  adding  the  probabilities  of  failure.  That  is,  conven- 
tional probability  ttvaory  for  adding  of  probabilities  is  as  follows'. 

r r r 

F (cj  + ^2  *3  ■*“  *•  ■*■  “ 4^1^  ^*i^  “ Si  ^ higlvar  order  terms 


However,  as  was  numerically  illustrated,  the  contribution  of  the  two  factor 
failure  tttodes  taay  be  neglected  since  they  ate  very  small  in  relation  to  the 
single  factors.  Thus, 
r r 


T,  P («i)  P («i)  “ 
j-1  * 


0 (all  other  higher  order  terms  are  xaro  also). 


or  P(C|  ♦ C2  *3  + — ♦ *^)  •*  P(sj)  + P(*2^  ^ a ♦ F(cp 
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APPENDIX  0 


CALCUUTION  OF  ADIABATIC  FLAME  TEMPERATUUE  FOB  AN 


The  most  favorable  decomposition  reaction  path  for  AN  from  a free 
energy  standpoint  is; 


NH4  NO^ > 2H2O  + N^  + 1/2  O2  (9.16) 

«hich  liberates  28,470  ca lories/ g-mole  AN^^®\  with  all  products  in  the 
gaseous  state  at  23 °C. 


9 - (I  Ib-oole  NH4NO3)  (28.470  cal/g-molc:)  a 

•*  o ^ ib-EOie  ?52  car 

« 5.14  )c  ECU 


The  heat  balance  is; 
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Cpj.  « 7.2  btu/lb»«sale  *F  O^Mt  C0pccit«  ct  a tenperature  of  lOOO^F 

^ for  dll  g£fSOs) 

Cpy^O(g)  * ®’7  Btu/lf-'SJoie  ’F 


S.14  X 104  . IXH7.2HT  ‘ 77)  ♦ 0.5(?.6)(T  - 77)  + 2.0(8.?)  (T  - 77) 
T • 1890*F 


Since  the  ttlniaua  teteparature  for  a flaae  is  1S00*K^^^^  or  2241*P,  there 
la  no  possibility  of  a flaae  occurring  with  pure  AN. 
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The  particular  decomposition  reactio  path  employed  in  this 
analysis  is,  from  a free  energy  standpoint,  the  most  favorable.  It 
is  possible,  indeed  likely,  that  additional  decomposition  reactions 
may  also  occur.  One  alternative  reaction  suggested  by  Holston 
involves  the  ii^.-mation  of  nitrous  oxide,  dinitrogen  tetroxide,  and 
water  as  decomposition  products: 

NH4NO3  — :>l/3  N2O  + 1/6  N2O4  +2  H2O  + 1/2  N2 

The  heat  of  reaction  of  this  equation  is  calculated  (via  heat  of 
formation  considerations)  to  be  about  20,634  cal/g-mole.  Using  a 
similar  "heat  balance"  approach  employed  above,  an  adiabatic  flame 
temperature  of  835*^?  is  calculated.  This  value  is  again  well  below 
the  2241*^?  minimum  temperature  level  required  for  a flame  to  occur. 


